Marcus Updateinfo to OVAL Converter 5.5 2019-09-27T08:38:51 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in GNU tar 1.13.19 and earlier allows local users to overwrite arbitrary files during archive extraction via a tar file whose filenames contain a .. (dot dot). Moderate CVE-2001-1267 SUSE bug 299738 SUSE bug 299745 SUSE bug 299747 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, and possibly later versions, allows attackers to overwrite arbitrary files during archive extraction via a (1) "/.." or (2) "./.." string, which removes the leading slash but leaves the "..", a variant of CVE-2001-1267. Moderate CVE-2002-0399 SUSE bug 145081 SUSE bug 299738 SUSE bug 299745 SUSE bug 299747 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. Important CVE-2002-2443 SUSE bug 825985 SUSE bug 871411 SUSE bug 887734 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child process IDs (PID). Moderate CVE-2003-1418 SUSE bug 713970 SUSE bug 907477 SUSE bug 917402 SUSE bug 970126 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. Moderate CVE-2004-0230 SUSE bug 1119974 SUSE bug 969340 SUSE bug 989152 SUSE Linux Enterprise Server 11 SP3 Unknown vulnerability in foomatic-rip in Foomatic before 3.0.2 allows local users or remote attackers with access to CUPS to execute arbitrary commands. Important CVE-2004-0801 SUSE bug 59233 SUSE bug 698451 SUSE bug 704608 SUSE bug 852368 SUSE bug 957531 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address. Moderate CVE-2004-2771 SUSE bug 909208 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the gopherToHTML function in the Gopher reply parser for Squid 2.5.STABLE7 and earlier allows remote malicious Gopher servers to cause a denial of service (crash) via crafted responses. Moderate CVE-2005-0094 SUSE bug 65023 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in Convert-UUlib (Convert::UUlib) before 1.051 allows remote attackers to execute arbitrary code via a malformed parameter to a read operation. Important CVE-2005-1349 SUSE bug 81068 SUSE Linux Enterprise Server 11 SP3 Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete. Moderate CVE-2005-2475 SUSE bug 274156 SUSE Linux Enterprise Server 11 SP3 scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. Moderate CVE-2006-0225 SUSE bug 143435 SUSE bug 206456 SUSE Linux Enterprise Server 11 SP3 Format string vulnerability in LocalSyslogAppender in Apache log4net 1.2.9 might allow remote attackers to cause a denial of service (memory corruption and termination) via unknown vectors. Moderate CVE-2006-0743 SUSE bug 148685 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the fullpath function in misc.c for zoo 2.10 and earlier, as used in products such as Barracuda Spam Firewall, allows user-assisted attackers to execute arbitrary code via a crafted ZOO file that causes the combine function to return a longer string than expected. Moderate CVE-2006-0855 SUSE bug 153057 SUSE Linux Enterprise Server 11 SP3 MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query. Moderate CVE-2006-0903 SUSE bug 163157 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the OID printing routine in Ethereal 0.10.x up to 0.10.14 has unknown impact and remote attack vectors. Critical CVE-2006-1932 SUSE bug 167928 SUSE Linux Enterprise Server 11 SP3 ** DISPUTED ** Format string vulnerability in Mailman before 2.1.9 allows attackers to execute arbitrary code via unspecified vectors. NOTE: the vendor has disputed this vulnerability, stating that it is "unexploitable." Important CVE-2006-2191 SUSE bug 191548 SUSE Linux Enterprise Server 11 SP3 RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly implement configurations that (1) disable RIPv1 or (2) require plaintext or MD5 authentication, which allows remote attackers to obtain sensitive information (routing state) via REQUEST packets such as SEND UPDATE. Moderate CVE-2006-2223 SUSE bug 173828 SUSE Linux Enterprise Server 11 SP3 auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, a different issue than CVE-2006-2369. Important CVE-2006-2450 SUSE bug 184418 SUSE Linux Enterprise Server 11 SP3 do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf. Important CVE-2006-2607 SUSE bug 178863 SUSE bug 537178 SUSE Linux Enterprise Server 11 SP3 OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. Important CVE-2006-2937 SUSE bug 202366 SUSE bug 207635 SUSE bug 215623 SUSE Linux Enterprise Server 11 SP3 OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification. Important CVE-2006-2940 SUSE bug 202366 SUSE bug 207635 SUSE bug 208971 SUSE bug 215623 SUSE bug 223040 SUSE Linux Enterprise Server 11 SP3 Mailman before 2.1.9rc1 allows remote attackers to cause a denial of service via unspecified vectors involving "standards-breaking RFC 2231 formatted headers". Moderate CVE-2006-2941 SUSE bug 191548 SUSE Linux Enterprise Server 11 SP3 The smdb daemon (smbd/service.c) in Samba 3.0.1 through 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of share connection requests. Moderate CVE-2006-3403 SUSE bug 190468 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.9rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Moderate CVE-2006-3636 SUSE bug 191548 SUSE bug 359182 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass "safe level" checks via unspecified vectors involving (1) the alias function and (2) "directory operations". Moderate CVE-2006-3694 SUSE bug 193661 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers. Critical CVE-2006-3738 SUSE bug 202366 SUSE bug 207635 SUSE bug 215623 SUSE Linux Enterprise Server 11 SP3 Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message. Moderate CVE-2006-3746 SUSE bug 195569 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules. Important CVE-2006-3747 SUSE bug 194675 SUSE Linux Enterprise Server 11 SP3 Integer overflow in ClamAV 0.88.1 and 0.88.4, and other versions before 0.88.5, allows remote attackers to cause a denial of service (scanning service crash) and execute arbitrary code via a crafted Portable Executable (PE) file that leads to a heap-based buffer overflow when less memory is allocated than expected. Important CVE-2006-4182 SUSE bug 212898 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in libmusicbrainz (aka mb_client or MusicBrainz Client Library) 2.1.2 and earlier, and SVN 8406 and earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a long Location header by the HTTP server, which triggers an overflow in the MBHttp::Download function in lib/http.cpp; and (2) a long URL in RDF data, as demonstrated by a URL in an rdf:resource field in an RDF XML document, which triggers overflows in many functions in lib/rdfparse.c. Important CVE-2006-4197 SUSE bug 199134 SUSE Linux Enterprise Server 11 SP3 MySQL before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions. Moderate CVE-2006-4226 SUSE bug 201711 SUSE Linux Enterprise Server 11 SP3 MySQL before 5.0.25 and 5.1 before 5.1.12 evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote authenticated users to gain privileges through a routine that has been made available using GRANT EXECUTE. Moderate CVE-2006-4227 SUSE bug 201711 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in man and mandb (man-db) 2.4.3 and earlier allows local users to execute arbitrary code via crafted arguments to the -H flag. Moderate CVE-2006-4250 SUSE bug 262747 SUSE Linux Enterprise Server 11 SP3 OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. Important CVE-2006-4339 SUSE bug 202366 SUSE bug 203595 SUSE bug 206636 SUSE bug 207635 SUSE bug 215623 SUSE bug 218303 SUSE bug 233584 SUSE bug 564512 SUSE Linux Enterprise Server 11 SP3 The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. Moderate CVE-2006-4343 SUSE bug 202366 SUSE bug 207635 SUSE bug 215623 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array. Moderate CVE-2006-4484 SUSE bug 200181 SUSE bug 355864 SUSE bug 356187 SUSE bug 357978 SUSE bug 372642 SUSE bug 374257 SUSE bug 386009 SUSE bug 709852 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the MIME Multipart dissector in Wireshark (formerly Ethereal) 0.10.1 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger an assertion error related to unexpected length values. Moderate CVE-2006-4574 SUSE bug 213226 SUSE Linux Enterprise Server 11 SP3 verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339. Moderate CVE-2006-4790 SUSE bug 1107874 SUSE bug 206636 SUSE Linux Enterprise Server 11 SP3 epan/dissectors/packet-xot.c in the XOT dissector (dissect_xot_pdu) in Wireshark (formerly Ethereal) 0.9.8 through 0.99.3 allows remote attackers to cause a denial of service (memory consumption and crash) via an encoded XOT packet that produces a zero length value when it is decoded. Moderate CVE-2006-4805 SUSE bug 213226 SUSE Linux Enterprise Server 11 SP3 Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image. Important CVE-2006-4811 SUSE bug 212544 SUSE Linux Enterprise Server 11 SP3 pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and earlier, and possibly other distributions does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver. Important CVE-2006-5170 SUSE bug 210158 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in ClamAV before 0.88.5 allows remote attackers to cause a denial of service (scanning service crash) via a crafted Compressed HTML Help (CHM) file that causes ClamAV to "read an invalid memory location." Moderate CVE-2006-5295 SUSE bug 212898 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick 6.0.7 allow user-assisted attackers to cause a denial of service and possibly execute arbitrary code via (1) a DCM image that is not properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. Moderate CVE-2006-5456 SUSE bug 215685 SUSE Linux Enterprise Server 11 SP3 Avahi before 0.6.15 does not verify the sender identity of netlink messages to ensure that they come from the kernel instead of another process, which allows local users to spoof network changes to Avahi. Moderate CVE-2006-5461 SUSE bug 216219 SUSE Linux Enterprise Server 11 SP3 The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a "-" instead of "--" and contains an inconsistent ID. Moderate CVE-2006-5467 SUSE bug 214916 SUSE bug 225983 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 allows remote attackers to cause a denial of service (crash) via unspecified vectors. Moderate CVE-2006-5468 SUSE bug 213226 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the WBXML dissector in Wireshark (formerly Ethereal) 0.10.11 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger a null dereference. Moderate CVE-2006-5469 SUSE bug 213226 SUSE Linux Enterprise Server 11 SP3 The libarchive library in FreeBSD 6-STABLE after 2006-09-05 and before 2006-11-08 allows context-dependent attackers to cause a denial of service (CPU consumption) via a malformed archive that causes libarchive to skip a region past the actual end of the archive, which triggers an infinite loop that attempts to read more data. Moderate CVE-2006-5680 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the LDAP dissector in Wireshark (formerly Ethereal) 0.99.3 allows remote attackers to cause a denial of service (crash) via a crafted LDAP packet. Moderate CVE-2006-5740 SUSE bug 213226 SUSE bug 374694 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified. Moderate CVE-2006-5752 SUSE bug 289996 SUSE bug 308637 SUSE Linux Enterprise Server 11 SP3 The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read. Moderate CVE-2006-5793 SUSE bug 219007 SUSE bug 222859 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4) PaperSize headers. NOTE: this issue can be exploited through other products that use gv such as evince. Moderate CVE-2006-5864 SUSE bug 219454 SUSE bug 225201 SUSE Linux Enterprise Server 11 SP3 fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks. Important CVE-2006-5867 SUSE bug 223507 SUSE Linux Enterprise Server 11 SP3 Clam AntiVirus (ClamAV) 0.88 and earlier allows remote attackers to cause a denial of service (crash) via a malformed base64-encoded MIME attachment that triggers a null pointer dereference. Moderate CVE-2006-5874 SUSE bug 227827 SUSE Linux Enterprise Server 11 SP3 The soup_headers_parse function in soup-headers.c for libsoup HTTP library before 2.2.99 allows remote attackers to cause a denial of service (crash) via malformed HTTP headers, probably involving missing fields or values. Important CVE-2006-5876 SUSE bug 235084 SUSE Linux Enterprise Server 11 SP3 CRLF injection vulnerability in the evalFolderLine function in fvwm 2.5.18 and earlier allows local users to execute arbitrary commands via carriage returns in a directory name, which is not properly handled by fvwm-menu-directory, a variant of CVE-2003-1308. Moderate CVE-2006-5969 SUSE bug 220708 SUSE Linux Enterprise Server 11 SP3 fetchmail 6.3.5 and 6.3.6 before 6.3.6-rc4, when refusing a message delivered via the mda option, allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the (1) ferror or (2) fflush functions. Important CVE-2006-5974 SUSE bug 223507 SUSE bug 239002 SUSE Linux Enterprise Server 11 SP3 The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password. Moderate CVE-2006-6077 SUSE bug 244923 SUSE bug 550618 SUSE Linux Enterprise Server 11 SP3 GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. Moderate CVE-2006-6097 SUSE bug 223185 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ProcRenderAddGlyphs function in the Render extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of glyph management data structures. Moderate CVE-2006-6101 SUSE bug 225972 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ProcDbeGetVisualInfo function in the DBE extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of unspecified data structures. Critical CVE-2006-6102 SUSE bug 225974 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ProcDbeSwapBuffers function in the DBE extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of unspecified data structures. Moderate CVE-2006-6103 SUSE bug 225975 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the match_rule_equal function in bus/signals.c in D-Bus before 1.0.2 allows local applications to remove match rules for other applications and cause a denial of service (lost process messages). Moderate CVE-2006-6107 SUSE bug 224811 SUSE Linux Enterprise Server 11 SP3 The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. Critical CVE-2006-6143 SUSE bug 225990 SUSE bug 225992 SUSE Linux Enterprise Server 11 SP3 The "mechglue" abstraction interface of the GSS-API library for Kerberos 5 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, allows remote attackers to cause a denial of service (crash) via unspecified vectors that cause mechglue to free uninitialized pointers. Moderate CVE-2006-6144 SUSE bug 225990 SUSE bug 225992 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt. Moderate CVE-2006-6169 SUSE bug 224108 SUSE Linux Enterprise Server 11 SP3 The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467. Moderate CVE-2006-6303 SUSE bug 225983 SUSE Linux Enterprise Server 11 SP3 The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) GNU wget 1.10.2 allows remote attackers to cause a denial of service (application crash) via a malicious FTP server with a large number of blank 220 responses to the SYST command. Moderate CVE-2006-6719 SUSE bug 231063 SUSE Linux Enterprise Server 11 SP3 Format string vulnerability in the inputAnswer function in file.c in w3m before 0.5.2, when run with the dump or backend option, allows remote attackers to execute arbitrary code via format string specifiers in the Common Name (CN) field of an SSL certificate associated with an https URL. Critical CVE-2006-6772 SUSE bug 230775 SUSE Linux Enterprise Server 11 SP3 The consume_labels function in avahi-core/dns.c in Avahi before 0.6.16 allows remote attackers to cause a denial of service (infinite loop) via a crafted compressed DNS response with a label that points to itself. Moderate CVE-2006-6870 SUSE bug 232050 SUSE Linux Enterprise Server 11 SP3 PHP before 5.3.4 accepts the \0 character in a pathname, which might allow context-dependent attackers to bypass intended access restrictions by placing a safe file extension after this character, as demonstrated by .php\0.jpg at the end of the argument to the file_exists function. Moderate CVE-2006-7243 SUSE bug 1067090 SUSE bug 654853 SUSE bug 893855 SUSE bug 924970 SUSE Linux Enterprise Server 11 SP3 The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message. Moderate CVE-2006-7250 SUSE bug 748738 SUSE bug 883307 SUSE Linux Enterprise Server 11 SP3 Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow. Moderate CVE-2007-0008 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values. Moderate CVE-2007-0009 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file. Moderate CVE-2007-0010 SUSE bug 226710 SUSE bug 233116 SUSE Linux Enterprise Server 11 SP3 BattleBlog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/blankmaster.mdb. Moderate CVE-2007-0078 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 rblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) data/admin.mdb or (2) data/rblog.mdb. Important CVE-2007-0079 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 The Adobe PDF specification 1.3, as implemented by (a) xpdf 3.0.1 patch 2, (b) kpdf in KDE before 3.5.5, (c) poppler before 0.5.4, and other products, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. Moderate CVE-2007-0104 SUSE bug 233113 SUSE bug 234492 SUSE Linux Enterprise Server 11 SP3 Array index error in the uri_lookup function in the URI parser for neon 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index. Important CVE-2007-0157 SUSE bug 235083 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the glibtop_get_proc_map_s function in libgtop before 2.14.6 (libgtop2) allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a process with a long filename that is mapped in its address space, which triggers the overflow in gnome-system-monitor. Moderate CVE-2007-0235 SUSE bug 235086 SUSE Linux Enterprise Server 11 SP3 The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. Moderate CVE-2007-0242 SUSE bug 259187 SUSE Linux Enterprise Server 11 SP3 Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage." Moderate CVE-2007-0451 SUSE bug 246254 SUSE Linux Enterprise Server 11 SP3 smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop. Moderate CVE-2007-0452 SUSE bug 240265 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the LLT dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. Moderate CVE-2007-0456 SUSE bug 237246 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the IEEE 802.11 dissector in Wireshark (formerly Ethereal) 0.10.14 through 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. Moderate CVE-2007-0457 SUSE bug 237246 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors, a different issue than CVE-2006-5468. Moderate CVE-2007-0458 SUSE bug 237246 SUSE Linux Enterprise Server 11 SP3 packet-tcp.c in the TCP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.4 allows remote attackers to cause a denial of service (application crash or hang) via fragmented HTTP packets. Moderate CVE-2007-0459 SUSE bug 237246 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine. Important CVE-2007-0774 SUSE bug 248157 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the layout engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allow remote attackers to cause a denial of service (crash) and potentially execute arbitrary code via certain vectors. Low CVE-2007-0775 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the _cairo_pen_init function in Mozilla Firefox 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to execute arbitrary code via a large stroke-width attribute in the clipPath element in an SVG file. Critical CVE-2007-0776 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 The JavaScript engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption. Critical CVE-2007-0777 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 browser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 uses the requesting URI to identify child windows, which allows remote attackers to conduct cross-site scripting (XSS) attacks by opening a blocked popup originating from a javascript: URI in combination with multiple frames having the same data: URI. Moderate CVE-2007-0780 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 Cross-zone vulnerability in Mozilla Firefox 1.5.0.9 considers blocked popups to have an internal zone origin, which allows user-assisted remote attackers to cross zone restrictions and read arbitrary file:// URIs by convincing a user to show a blocked popup. Moderate CVE-2007-0800 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 Clam AntiVirus ClamAV before 0.90 does not close open file descriptors under certain conditions, which allows remote attackers to cause a denial of service (file descriptor consumption and failed scans) via CAB archives with a cabinet header record length of zero, which causes a function to return without closing a file descriptor. Moderate CVE-2007-0897 SUSE bug 246214 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before 0.90 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the id MIME header parameter in a multi-part message. Important CVE-2007-0898 SUSE bug 246214 SUSE Linux Enterprise Server 11 SP3 The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882. Important CVE-2007-0956 SUSE bug 247765 SUSE bug 256319 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers. Critical CVE-2007-0957 SUSE bug 253548 SUSE bug 256319 SUSE Linux Enterprise Server 11 SP3 Mozilla based browsers, including Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8, allow remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code. Important CVE-2007-0981 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 ignores trailing invalid HTML characters in attribute names, which allows remote attackers to bypass content filters that use regular expressions. Moderate CVE-2007-0995 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 The child frames in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 inherit the default charset from the parent window, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set. Moderate CVE-2007-0996 SUSE bug 244923 SUSE Linux Enterprise Server 11 SP3 Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption. Critical CVE-2007-1003 SUSE bug 243978 SUSE bug 261141 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding". Important CVE-2007-1216 SUSE bug 252487 SUSE bug 256319 SUSE Linux Enterprise Server 11 SP3 Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow. Important CVE-2007-1320 SUSE bug 252519 SUSE bug 270621 SUSE bug 435135 SUSE bug 448551 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730. Moderate CVE-2007-1321 SUSE bug 252519 SUSE bug 270621 SUSE Linux Enterprise Server 11 SP3 QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction. Moderate CVE-2007-1322 SUSE bug 252519 SUSE bug 270621 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2893. Reason: this candidate was intended for one issue, but some sources used this identifier for a separate issue, and a duplicate identifier had also been created by the time dual use was detected. Notes: All CVE users should consult CVE-2007-2893 to determine if it is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2007-1323 SUSE bug 252519 SUSE bug 270621 SUSE bug 280893 SUSE Linux Enterprise Server 11 SP3 PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI. Moderate CVE-2007-1349 SUSE bug 263785 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow. Important CVE-2007-1351 SUSE bug 247732 SUSE bug 258335 SUSE bug 261141 SUSE Linux Enterprise Server 11 SP3 QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by "aam 0x0," which triggers a divide-by-zero error. Moderate CVE-2007-1366 SUSE bug 252519 SUSE bug 270621 SUSE Linux Enterprise Server 11 SP3 Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. Critical CVE-2007-1536 SUSE bug 256290 SUSE Linux Enterprise Server 11 SP3 The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products. Moderate CVE-2007-1558 SUSE bug 262450 SUSE bug 271197 SUSE bug 279843 SUSE bug 281321 SUSE bug 281323 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. Critical CVE-2007-1667 SUSE bug 252958 SUSE bug 258253 SUSE bug 264218 SUSE Linux Enterprise Server 11 SP3 zoo decoder 2.10 (zoo-2.10), as used in multiple products including (1) Barracuda Spam Firewall 3.4 and later with virusdef before 2.0.6399, (2) Spam Firewall before 3.4 20070319 with virusdef before 2.0.6399o, and (3) AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. Important CVE-2007-1669 SUSE bug 271781 SUSE Linux Enterprise Server 11 SP3 The chm_decompress_stream function in libclamav/chmunpack.c in Clam AntiVirus (ClamAV) before 0.90.2 leaks file descriptors, which has unknown impact and attack vectors involving a crafted CHM file, a different vulnerability than CVE-2007-0897. NOTE: some of these details are obtained from third party information. Important CVE-2007-1745 SUSE bug 264189 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667. Moderate CVE-2007-1797 SUSE bug 258253 SUSE bug 279866 SUSE Linux Enterprise Server 11 SP3 The isakmp_info_recv function in src/racoon/isakmp_inf.c in racoon in Ipsec-tools before 0.6.7 allows remote attackers to cause a denial of service (tunnel crash) via crafted (1) DELETE (ISAKMP_NPTYPE_D) and (2) NOTIFY (ISAKMP_NPTYPE_N) messages. Moderate CVE-2007-1841 SUSE bug 260791 SUSE bug 334907 SUSE Linux Enterprise Server 11 SP3 The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information. Moderate CVE-2007-1862 SUSE bug 280414 SUSE bug 308637 SUSE Linux Enterprise Server 11 SP3 cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. Moderate CVE-2007-1863 SUSE bug 289997 SUSE bug 308637 SUSE Linux Enterprise Server 11 SP3 bgpd/bgp_attr.c in Quagga 0.98.6 and earlier, and 0.99.6 and earlier 0.99 versions, does not validate length values in the MP_REACH_NLRI and MP_UNREACH_NLRI attributes, which allows remote attackers to cause a denial of service (daemon crash or exit) via crafted UPDATE messages that trigger an assertion error or out of bounds read. Moderate CVE-2007-1995 SUSE bug 266100 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the (1) cab_unstore and (2) cab_extract functions in libclamav/cab.c in Clam AntiVirus (ClamAV) before 0.90.2 allow remote attackers to execute arbitrary code via a crafted CHM file that contains a negative integer, which passes a signed comparison and leads to a stack-based buffer overflow. Important CVE-2007-1997 SUSE bug 264189 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination. Moderate CVE-2007-2052 SUSE bug 276889 SUSE Linux Enterprise Server 11 SP3 The sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines. Important CVE-2007-2438 SUSE bug 270496 SUSE bug 304172 SUSE Linux Enterprise Server 11 SP3 The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup. Critical CVE-2007-2442 SUSE bug 271191 SUSE bug 283681 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value. Important CVE-2007-2443 SUSE bug 271191 SUSE bug 283681 SUSE Linux Enterprise Server 11 SP3 Logic error in the SID/Name translation functionality in smbd in Samba 3.0.23d through 3.0.25pre2 allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause the daemon to transition to the root user. Important CVE-2007-2444 SUSE bug 262090 SUSE bug 273613 SUSE Linux Enterprise Server 11 SP3 Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names). Critical CVE-2007-2446 SUSE bug 273613 SUSE Linux Enterprise Server 11 SP3 The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management. Important CVE-2007-2447 SUSE bug 273611 SUSE bug 273613 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the visit_old_format function in locate/locate.c in locate in GNU findutils before 4.2.31 might allow context-dependent attackers to execute arbitrary code via a long pathname in a locate database that has the old format, a different vulnerability than CVE-2001-1036. Moderate CVE-2007-2452 SUSE bug 278694 SUSE Linux Enterprise Server 11 SP3 The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. Moderate CVE-2007-2756 SUSE bug 276525 SUSE bug 282730 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. Important CVE-2007-2798 SUSE bug 278689 SUSE bug 283681 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the "file" program 4.20, when running on 32-bit systems, as used in products including The Sleuth Kit, might allow user-assisted attackers to execute arbitrary code via a large file that triggers an overflow that bypasses an assert() statement. NOTE: this issue is due to an incorrect patch for CVE-2007-1536. Moderate CVE-2007-2799 SUSE bug 256290 SUSE Linux Enterprise Server 11 SP3 SpamAssassin 3.1.x, 3.2.0, and 3.2.1 before 20070611, when running as root in unusual configurations using vpopmail or virtual users, allows local users to cause a denial of service (corrupt arbitrary files) via a symlink attack on a file that is used by spamd. Moderate CVE-2007-2873 SUSE bug 284488 SUSE Linux Enterprise Server 11 SP3 The default access control lists (ACL) in ISC BIND 9.4.0, 9.4.1, and 9.5.0a1 through 9.5.0a5 do not set the allow-recursion and allow-query-cache ACLs, which allows remote attackers to make recursive queries and query the cache. Important CVE-2007-2925 SUSE bug 294403 SUSE Linux Enterprise Server 11 SP3 ISC BIND 9 through 9.5.0a5 uses a weak random number generator during generation of DNS query ids when answering resolver questions or sending NOTIFY messages to slave name servers, which makes it easier for remote attackers to guess the next query id and perform DNS cache poisoning. Moderate CVE-2007-2926 SUSE bug 294403 SUSE bug 295040 SUSE Linux Enterprise Server 11 SP3 Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command. Moderate CVE-2007-2953 SUSE bug 292433 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 2.0.0.5 does not prevent use of document.write to replace an IFRAME (1) during the load stage or (2) in the case of an about:blank frame, which allows remote attackers to display arbitrary HTML or execute certain JavaScript code, as demonstrated by code that intercepts keystroke values from window.event, aka the "promiscuous IFRAME access bug," a related issue to CVE-2006-4568. Important CVE-2007-3089 SUSE bug 288115 SUSE Linux Enterprise Server 11 SP3 lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2.0, allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via invalid (1) blocksize_0 and (2) blocksize_1 values, which trigger a "heap overwrite" in the _01inverse function in res0.c. NOTE: this issue has been RECAST so that CVE-2007-4029 handles additional vectors. Moderate CVE-2007-3106 SUSE bug 287124 SUSE Linux Enterprise Server 11 SP3 The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. Moderate CVE-2007-3108 SUSE bug 296511 SUSE Linux Enterprise Server 11 SP3 Camel (camel-imap-folder.c) in the mailer component for Evolution Data Server 1.11 allows remote IMAP servers to execute arbitrary code via a negative SEQUENCE value in GData, which is used as an array index. Moderate CVE-2007-3257 SUSE bug 284828 SUSE bug 290827 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 2.0.0.5, when run on Windows, allows remote attackers to bypass file type checks and possibly execute programs via a (1) file:/// or (2) resource: URI with a dangerous extension, followed by a NULL byte (%00) and a safer extension, which causes Firefox to treat the requested file differently than Windows would. Moderate CVE-2007-3285 SUSE bug 288115 SUSE Linux Enterprise Server 11 SP3 Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, allows local users to cause a denial of service by modifying the worker_score and process_score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process, aka "SIGUSR1 killer." Moderate CVE-2007-3304 SUSE bug 286685 SUSE bug 308637 SUSE bug 422464 SUSE Linux Enterprise Server 11 SP3 The Avahi daemon in Avahi before 0.6.20 allows attackers to cause a denial of service (exit) via empty TXT data over D-Bus, which triggers an assert error. Moderate CVE-2007-3372 SUSE bug 287123 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function. Moderate CVE-2007-3387 SUSE bug 291690 SUSE bug 335637 SUSE Linux Enterprise Server 11 SP3 Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message. Moderate CVE-2007-3388 SUSE bug 291754 SUSE bug 550618 SUSE Linux Enterprise Server 11 SP3 archive_read_support_format_tar.c in libarchive before 2.2.4 does not properly compute the length of a certain buffer when processing a malformed pax extension header, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PAX or (2) TAR archive that triggers a buffer overflow. Critical CVE-2007-3641 SUSE bug 291358 SUSE Linux Enterprise Server 11 SP3 archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive. Moderate CVE-2007-3644 SUSE bug 291358 SUSE Linux Enterprise Server 11 SP3 archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (crash) via (1) an end-of-file condition within a tar header that follows a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive, which results in a NULL pointer dereference, a different issue than CVE-2007-3644. Moderate CVE-2007-3645 SUSE bug 291358 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs. Moderate CVE-2007-3656 SUSE bug 288115 SUSE Linux Enterprise Server 11 SP3 Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a (1) FirefoxURL or (2) FirefoxHTML URI, which are inserted into the command line that is created when invoking firefox.exe. NOTE: it has been debated as to whether the issue is in Internet Explorer or Firefox. As of 20070711, it is CVE's opinion that IE appears to be failing to properly delimit the URL argument when invoking Firefox, and this issue could arise with other protocol handlers in IE as well. However, Mozilla has stated that it will address the issue with a "defense in depth" fix that will "prevent IE from sending Firefox malicious data." Moderate CVE-2007-3670 SUSE bug 288115 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the SET_VALUE function in rarvm.cpp in unrar 3.70 beta 3, as used in products including WinRAR and RAR for OS X, allows user-assisted remote attackers to cause a denial of service (crash) via a crafted RAR archive that causes a negative signed number to be cast to a large unsigned number. Moderate CVE-2007-3726 SUSE bug 291702 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption. Critical CVE-2007-3734 SUSE bug 288115 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 2.0.0.5 and Thunderbird before 2.0.0.5 allow remote attackers to cause a denial of service (crash) via unspecified vectors that trigger memory corruption. Critical CVE-2007-3735 SUSE bug 288115 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.5 allows remote attackers to inject arbitrary web script "into another site's context" via a "timing issue" involving the (1) addEventListener or (2) setTimeout function, probably by setting events that activate after the context has changed. Moderate CVE-2007-3736 SUSE bug 288115 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 2.0.0.5 allows remote attackers to execute arbitrary code with chrome privileges by calling an event handler from an unspecified "element outside of a document." Critical CVE-2007-3737 SUSE bug 288115 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper. Critical CVE-2007-3738 SUSE bug 288115 SUSE Linux Enterprise Server 11 SP3 konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers to spoof the data: URI scheme in the address bar via a long URI with trailing whitespace, which prevents the beginning of the URI from being displayed. Moderate CVE-2007-3820 SUSE bug 292047 SUSE Linux Enterprise Server 11 SP3 The date handling code in modules/proxy/proxy_util.c (mod_proxy) in Apache 2.3.0, when using a threaded MPM, allows remote origin servers to cause a denial of service (caching forward proxy process crash) via crafted date headers that trigger a buffer over-read. Moderate CVE-2007-3847 SUSE bug 308637 SUSE Linux Enterprise Server 11 SP3 The init script (sysstat.in) in sysstat 5.1.2 up to 7.1.6 creates /tmp/sysstat.run insecurely, which allows local users to execute arbitrary code. Moderate CVE-2007-3852 SUSE bug 298308 SUSE Linux Enterprise Server 11 SP3 (1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm. Moderate CVE-2007-3919 SUSE bug 334445 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message. Critical CVE-2007-3999 SUSE bug 302377 SUSE bug 305261 SUSE Linux Enterprise Server 11 SP3 The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer. Important CVE-2007-4000 SUSE bug 302377 SUSE bug 305261 SUSE Linux Enterprise Server 11 SP3 Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute arbitrary code via directory names that are not properly handled when calling the f_name function. Moderate CVE-2007-4091 SUSE bug 279866 SUSE bug 294073 SUSE Linux Enterprise Server 11 SP3 CoolKey 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files in the /tmp/.pk11ipc1/ directory. Moderate CVE-2007-4129 SUSE bug 304180 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in extract.c in star before 1.5a84 allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive. Moderate CVE-2007-4134 SUSE bug 302489 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable. Important CVE-2007-4137 SUSE bug 304249 SUSE Linux Enterprise Server 11 SP3 The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0.25 through 3.0.25c, when the "winbind nss info" option is set to rfc2307 or sfu, grants all local users the privileges of gid 0 when the (1) RFC2307 or (2) Services for UNIX (SFU) primary group attribute is not defined. Moderate CVE-2007-4138 SUSE bug 307623 SUSE Linux Enterprise Server 11 SP3 KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar by calling setInterval with a small interval and changing the window.location property. Moderate CVE-2007-4224 SUSE bug 298736 SUSE Linux Enterprise Server 11 SP3 Visual truncation vulnerability in KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar via an http URI with a large amount of whitespace in the user/password portion. Moderate CVE-2007-4225 SUSE bug 298707 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow. Critical CVE-2007-4351 SUSE bug 335635 SUSE Linux Enterprise Server 11 SP3 Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file. Important CVE-2007-4352 SUSE bug 335637 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection. Moderate CVE-2007-4465 SUSE bug 308637 SUSE bug 310161 SUSE bug 325655 SUSE Linux Enterprise Server 11 SP3 sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP. Moderate CVE-2007-4565 SUSE bug 308271 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the build_range function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values, which triggers a heap-based buffer overflow. Moderate CVE-2007-4568 SUSE bug 308064 SUSE bug 308066 SUSE Linux Enterprise Server 11 SP3 backend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors. Important CVE-2007-4569 SUSE bug 307372 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. Critical CVE-2007-4572 SUSE bug 326261 SUSE bug 337823 SUSE Linux Enterprise Server 11 SP3 The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack. Critical CVE-2007-4743 SUSE bug 302377 SUSE Linux Enterprise Server 11 SP3 ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted. Important CVE-2007-4752 SUSE bug 308521 SUSE Linux Enterprise Server 11 SP3 The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (backend crash) via an out-of-bounds backref number. Important CVE-2007-4769 SUSE bug 329282 SUSE Linux Enterprise Server 11 SP3 libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. Important CVE-2007-4770 SUSE bug 354372 SUSE bug 363252 SUSE bug 417817 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information. Critical CVE-2007-4771 SUSE bug 354372 SUSE bug 363252 SUSE bug 417817 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression. Important CVE-2007-4772 SUSE bug 329282 SUSE Linux Enterprise Server 11 SP3 The iconv_substr function in PHP 5.2.4 and earlier allows context-dependent attackers to cause (1) a denial of service (application crash) via a long string in the charset parameter, probably also requiring a long string in the str parameter; or (2) a denial of service (temporary application hang) via a long string in the str parameter. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution. Moderate CVE-2007-4783 SUSE bug 308069 SUSE bug 325827 SUSE Linux Enterprise Server 11 SP3 PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the out_charset parameter to the iconv function; or a long string in the charset parameter to the (2) iconv_mime_decode_headers, (3) iconv_mime_decode, or (4) iconv_strlen function. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution. Moderate CVE-2007-4840 SUSE bug 308498 SUSE bug 325827 SUSE Linux Enterprise Server 11 SP3 The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability. Moderate CVE-2007-4887 SUSE bug 325657 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the flac_buffer_copy function in libsndfile 1.0.17 and earlier might allow remote attackers to execute arbitrary code via a FLAC file with crafted PCM data containing a block with a size that exceeds the previous block size. Important CVE-2007-4974 SUSE bug 326070 SUSE Linux Enterprise Server 11 SP3 ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls. Moderate CVE-2007-4985 SUSE bug 327021 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow. Moderate CVE-2007-4986 SUSE bug 327021 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address. Critical CVE-2007-4987 SUSE bug 327021 SUSE Linux Enterprise Server 11 SP3 Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. Moderate CVE-2007-4988 SUSE bug 327021 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors. Critical CVE-2007-4995 SUSE bug 331726 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Moderate CVE-2007-5000 SUSE bug 353859 SUSE bug 355888 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression. Important CVE-2007-5116 SUSE bug 332199 SUSE bug 372331 SUSE bug 915514 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible. Moderate CVE-2007-5135 SUSE bug 329208 SUSE bug 331726 SUSE bug 363663 SUSE Linux Enterprise Server 11 SP3 The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. Moderate CVE-2007-5162 SUSE bug 329706 SUSE Linux Enterprise Server 11 SP3 hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail. Important CVE-2007-5208 SUSE bug 331015 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow. Critical CVE-2007-5392 SUSE bug 335637 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter. Critical CVE-2007-5393 SUSE bug 335637 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. Critical CVE-2007-5398 SUSE bug 337823 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in libext2fs in e2fsprogs before 1.40.3 allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image. Moderate CVE-2007-5497 SUSE bug 340473 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies. Moderate CVE-2007-5623 SUSE bug 336002 SUSE Linux Enterprise Server 11 SP3 Array index error in the XFree86-Misc extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via a PassMessage request containing a large array index. Critical CVE-2007-5760 SUSE bug 345496 SUSE Linux Enterprise Server 11 SP3 The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. Moderate CVE-2007-5770 SUSE bug 329706 SUSE Linux Enterprise Server 11 SP3 The hack-local-variables function in Emacs before 22.2, when enable-local-variables is set to :safe, does not properly search lists of unsafe or risky variables, which might allow user-assisted attackers to bypass intended restrictions and modify critical program variables via a file containing a Local variables declaration. Moderate CVE-2007-5795 SUSE bug 339033 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360. Moderate CVE-2007-5803 SUSE bug 339447 SUSE Linux Enterprise Server 11 SP3 ** DISPUTED ** The reply function in ftpd.c in the gssftp ftpd in MIT Kerberos 5 (krb5) does not initialize the length variable when auth_type has a certain value, which has unknown impact and remote authenticated attack vectors. NOTE: the original disclosure misidentifies the conditions under which the uninitialized variable is used. NOTE: the vendor disputes this issue, stating " The 'length' variable is only uninitialized if 'auth_type' is neither the 'KERBEROS_V4' nor 'GSSAPI'; this condition cannot occur in the unmodified source code." Critical CVE-2007-5894 SUSE bug 346745 SUSE bug 346749 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the svcauth_gss_get_principal function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (krb5) allows remote attackers to have an unknown impact via a large length value for a GSS client name in an RPC request. Critical CVE-2007-5902 SUSE bug 346747 SUSE bug 346749 SUSE Linux Enterprise Server 11 SP3 MySQL Community Server 5.0.x before 5.0.51, Enterprise Server 5.0.x before 5.0.52, Server 5.1.x before 5.1.23, and Server 6.0.x before 6.0.4, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. Important CVE-2007-5969 SUSE bug 347223 SUSE bug 348003 SUSE bug 348307 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in the gss_krb5int_make_seal_token_v3 function in lib/gssapi/krb5/k5sealv3.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. Moderate CVE-2007-5971 SUSE bug 346748 SUSE bug 346749 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in the krb5_def_store_mkey function in lib/kdb/kdb_default.c in MIT Kerberos 5 (krb5) 1.5 has unknown impact and remote authenticated attack vectors. NOTE: the free operations occur in code that stores the krb5kdc master key, and so the attacker must have privileges to store this key. Critical CVE-2007-5972 SUSE bug 346749 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. Critical CVE-2007-6015 SUSE bug 343702 SUSE Linux Enterprise Server 11 SP3 Algorithmic complexity vulnerability in the regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (memory consumption) via a crafted "complex" regular expression with doubly-nested states. Important CVE-2007-6067 SUSE bug 329282 SUSE Linux Enterprise Server 11 SP3 rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy. Critical CVE-2007-6199 SUSE bug 345507 SUSE Linux Enterprise Server 11 SP3 The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences. Moderate CVE-2007-6284 SUSE bug 349151 SUSE Linux Enterprise Server 11 SP3 MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement. Low CVE-2007-6303 SUSE bug 348003 SUSE Linux Enterprise Server 11 SP3 The federated engine in MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4, when performing a certain SHOW TABLE STATUS query, allows remote MySQL servers to cause a denial of service (federated handler crash and daemon crash) via a response that lacks the minimum required number of columns. Moderate CVE-2007-6304 SUSE bug 348003 SUSE Linux Enterprise Server 11 SP3 Integer overflow in libclamav in ClamAV before 0.92 allows remote attackers to execute arbitrary code via a crafted MEW packed PE file, which triggers a heap-based buffer overflow. Important CVE-2007-6335 SUSE bug 343277 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in ClamAV before 0.92 allows remote attackers to execute arbitrary code via a crafted MS-ZIP compressed CAB file. Moderate CVE-2007-6336 SUSE bug 343277 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the bzip2 decompression algorithm in nsis/bzlib_private.h in ClamAV before 0.92 has unknown impact and remote attack vectors. Critical CVE-2007-6337 SUSE bug 343277 SUSE Linux Enterprise Server 11 SP3 libexif 0.6.16 and earlier allows context-dependent attackers to cause a denial of service (infinite recursion) via an image file with crafted EXIF tags, possibly involving the exif_loader_write function in exif_loader.c. Moderate CVE-2007-6351 SUSE bug 348748 SUSE Linux Enterprise Server 11 SP3 Integer overflow in libexif 0.6.16 and earlier allows context-dependent attackers to execute arbitrary code via an image with crafted EXIF tags, possibly involving the exif_data_load_data_thumbnail function in exif-data.c. Moderate CVE-2007-6352 SUSE bug 348748 SUSE Linux Enterprise Server 11 SP3 Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow. Important CVE-2007-6353 SUSE bug 348748 SUSE bug 435509 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Moderate CVE-2007-6388 SUSE bug 352235 SUSE bug 355888 SUSE Linux Enterprise Server 11 SP3 Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors. Moderate CVE-2007-6420 SUSE bug 353261 SUSE bug 373903 SUSE bug 422464 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL. Moderate CVE-2007-6421 SUSE bug 353261 SUSE bug 355888 SUSE Linux Enterprise Server 11 SP3 The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable. Moderate CVE-2007-6422 SUSE bug 353261 SUSE bug 355888 SUSE Linux Enterprise Server 11 SP3 The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990. Critical CVE-2007-6427 SUSE bug 345127 SUSE Linux Enterprise Server 11 SP3 The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations via a request containing a 32-bit value that is improperly used as an array index. Moderate CVE-2007-6428 SUSE bug 345128 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension. Critical CVE-2007-6429 SUSE bug 345130 SUSE bug 345131 SUSE Linux Enterprise Server 11 SP3 ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files used by the cli_gentempfd function in libclamav/others.c or on (2) .ascii files used by sigtool, when utf16-decode is enabled. Moderate CVE-2007-6595 SUSE bug 350987 SUSE Linux Enterprise Server 11 SP3 ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows remote attackers to bypass the scanner via a Base64-UUEncoded file. Moderate CVE-2007-6596 SUSE bug 350987 SUSE Linux Enterprise Server 11 SP3 PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21 uses superuser privileges instead of table owner privileges for (1) VACUUM and (2) ANALYZE operations within index functions, and supports (3) SET ROLE and (4) SET SESSION AUTHORIZATION within index functions, which allows remote authenticated users to gain privileges. Moderate CVE-2007-6600 SUSE bug 329282 SUSE bug 537706 SUSE Linux Enterprise Server 11 SP3 The DBLink module in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21, when local trust or ident authentication is used, allows remote attackers to gain privileges via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2007-3278. Important CVE-2007-6601 SUSE bug 328403 SUSE bug 329282 SUSE Linux Enterprise Server 11 SP3 The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15. Moderate CVE-2007-6750 SUSE bug 738855 SUSE bug 741840 SUSE bug 997229 SUSE Linux Enterprise Server 11 SP3 mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. Moderate CVE-2008-0005 SUSE bug 353262 SUSE bug 355888 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in (1) X.Org Xserver before 1.4.1, and (2) the libfont and libXfont libraries on some platforms including Sun Solaris, allows context-dependent attackers to execute arbitrary code via a PCF font with a large difference between the last col and first col values in the PCF_BDF_ENCODINGS table. Important CVE-2008-0006 SUSE bug 348296 SUSE Linux Enterprise Server 11 SP3 Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset. Important CVE-2008-0007 SUSE bug 353207 SUSE Linux Enterprise Server 11 SP3 The pa_drop_root function in PulseAudio 0.9.8, and a certain 0.9.9 build, does not check return values from (1) setresuid, (2) setreuid, (3) setuid, and (4) seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail via attacks such as resource exhaustion. Important CVE-2008-0008 SUSE bug 347822 SUSE Linux Enterprise Server 11 SP3 The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which might allow local users to access arbitrary kernel memory locations. Important CVE-2008-0009 SUSE bug 358006 SUSE Linux Enterprise Server 11 SP3 The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations. Important CVE-2008-0010 SUSE bug 358006 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the cgiCompileSearch function in CUPS 1.3.5, and other versions including the version bundled with Apple Mac OS X 10.5.2, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions. Moderate CVE-2008-0047 SUSE bug 367225 SUSE Linux Enterprise Server 11 SP3 KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free. Critical CVE-2008-0062 SUSE bug 361373 SUSE Linux Enterprise Server 11 SP3 The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values." Moderate CVE-2008-0063 SUSE bug 361373 SUSE Linux Enterprise Server 11 SP3 regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (failed assertion and crash) via an invalid regular expression. Moderate CVE-2008-0171 SUSE bug 353180 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the cli_scanpe function in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. Critical CVE-2008-0318 SUSE bug 361374 SUSE Linux Enterprise Server 11 SP3 Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email. Moderate CVE-2008-0386 SUSE bug 355061 SUSE Linux Enterprise Server 11 SP3 The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to the (1) nsTableFrame::GetFrameAtOrBefore, (2) nsAccessibilityService::GetAccessible, (3) nsBindingManager::GetNestedInsertionPoint, (4) nsXBLPrototypeBinding::AttributeChanged, (5) nsColumnSetFrame::GetContentInsertionFrame, and (6) nsLineLayout::TrimTrailingWhiteSpaceIn methods, and other vectors. Critical CVE-2008-0412 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to trick the user into uploading arbitrary files via label tags that shift focus to a file input field, aka "focus spoofing." Moderate CVE-2008-0414 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs." Moderate CVE-2008-0415 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 CRLF injection vulnerability in Mozilla Firefox before 2.0.0.12 allows remote user-assisted web sites to corrupt the user's password store via newlines that are not properly handled when the user saves a password. Moderate CVE-2008-0417 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js. Moderate CVE-2008-0418 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remote attackers to steal navigation history and cause a denial of service (crash) via images in a page that uses designMode frames, which triggers memory corruption related to resize handles. Critical CVE-2008-0419 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 does not properly manage a delay timer used in confirmation dialogs, which might allow remote attackers to trick users into confirming an unsafe action, such as remote file execution, by using a timer to change the window focus, aka the "dialog refocus bug" or "ffclick2". Moderate CVE-2008-0591 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser. Moderate CVE-2008-0592 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modify the .href property of stylesheet DOM nodes to the final URI of a 302 redirect, which might allow remote attackers to bypass the Same Origin Policy and read sensitive information from the original URL, such as with Single-Signon systems. Moderate CVE-2008-0593 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 2.0.0.12 does not always display a web forgery warning dialog if the entire contents of a web page are in a DIV tag that uses absolute positioning, which makes it easier for remote attackers to conduct phishing attacks. Moderate CVE-2008-0594 SUSE bug 354469 SUSE Linux Enterprise Server 11 SP3 dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface. Moderate CVE-2008-0595 SUSE bug 364532 SUSE Linux Enterprise Server 11 SP3 The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI. Moderate CVE-2008-0599 SUSE bug 387745 SUSE bug 393279 SUSE Linux Enterprise Server 11 SP3 The unmew11 function in libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." Critical CVE-2008-0728 SUSE bug 361403 SUSE Linux Enterprise Server 11 SP3 gnome-screensaver before 2.22.1, when a remote authentication server is enabled, crashes upon an unlock attempt during a network outage, which allows physically proximate attackers to gain access to the locked session, a related issue to CVE-2007-1859. Important CVE-2008-0887 SUSE bug 372609 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information. Moderate CVE-2008-0891 SUSE bug 394317 SUSE bug 404511 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the RPC library used by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.4 through 1.6.3 allows remote attackers to execute arbitrary code by triggering a large number of open file descriptors. Critical CVE-2008-0947 SUSE bug 363151 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.2.2, and probably other versions before 1.3, when running on systems whose unistd.h does not define the FD_SETSIZE macro, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering a large number of open file descriptors. Critical CVE-2008-0948 SUSE bug 363151 SUSE Linux Enterprise Server 11 SP3 The International Components for Unicode (ICU) library in Apple Mac OS X before 10.5.3, Red Hat Enterprise Linux 5, and other operating systems omits some invalid character sequences during conversion of some character encodings, which might allow remote attackers to conduct cross-site scripting (XSS) attacks. Moderate CVE-2008-1036 SUSE bug 489649 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the cli_scanpe function in libclamav (libclamav/pe.c) for ClamAV 0.92 and 0.92.1 allows remote attackers to execute arbitrary code via a crafted Upack PE file. Critical CVE-2008-1100 SUSE bug 368963 SUSE bug 379695 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response. Important CVE-2008-1105 SUSE bug 391168 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. Moderate CVE-2008-1145 SUSE bug 368618 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Sun Java Runtime Environment (JRE) and JDK 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to cause a denial of service (JRE crash) and possibly execute arbitrary code via unknown vectors related to XSLT transforms. Moderate CVE-2008-1187 SUSE bug 368134 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in the useEncodingDecl function in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and earlier, allow remote attackers to execute arbitrary code via a JNLP file with (1) a long key name in the xml header or (2) a long charset value, different issues than CVE-2008-1189, aka "The first two issues." Critical CVE-2008-1188 SUSE bug 368134 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to execute arbitrary code via unknown vectors, a different issue than CVE-2008-1188, aka the "third" issue. Moderate CVE-2008-1189 SUSE bug 368134 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to gain privileges via an untrusted application, a different issue than CVE-2008-1191, aka the "fourth" issue. Critical CVE-2008-1190 SUSE bug 368134 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier allows remote attackers to create arbitrary files via an untrusted application, a different issue than CVE-2008-1190, aka "The fifth issue." Moderate CVE-2008-1191 SUSE bug 368134 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Plug-in for Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and earlier; and SDK and JRE 1.4.2_16 and earlier, and 1.3.1_21 and earlier; allows remote attackers to bypass the same origin policy and "execute local applications" via unknown vectors. Moderate CVE-2008-1192 SUSE bug 368134 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Java Runtime Environment Image Parsing Library in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and earlier, allows remote attackers to gain privileges via an untrusted application. Critical CVE-2008-1193 SUSE bug 368134 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the color management library in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and earlier, allows remote attackers to cause a denial of service (crash) via unknown vectors. Moderate CVE-2008-1194 SUSE bug 368134 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Sun JDK and Java Runtime Environment (JRE) 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK and JRE 1.4.2_16 and earlier; allows remote attackers to access arbitrary network services on the local host via unspecified vectors related to JavaScript and Java APIs. Critical CVE-2008-1195 SUSE bug 368134 SUSE bug 370353 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in Java Web Start (javaws.exe) in Sun JDK and JRE 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK and JRE 1.4.2_16 and earlier; allows remote attackers to execute arbitrary code via a crafted JNLP file. Moderate CVE-2008-1196 SUSE bug 368134 SUSE bug 379038 SUSE bug 404983 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. Moderate CVE-2008-1232 SUSE bug 414657 SUSE bug 415736 SUSE bug 417217 SUSE bug 427726 SUSE Linux Enterprise Server 11 SP3 bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats. Moderate CVE-2008-1372 SUSE bug 372047 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the gif_read_lzw function in CUPS 1.3.6 allows remote attackers to have an unknown impact via a GIF file with a large code_size value, a similar issue to CVE-2006-4484. Moderate CVE-2008-1373 SUSE bug 372642 SUSE bug 709852 SUSE Linux Enterprise Server 11 SP3 Race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. Important CVE-2008-1375 SUSE bug 377145 SUSE Linux Enterprise Server 11 SP3 The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization function in the Security extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via requests with crafted length values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption. Critical CVE-2008-1377 SUSE bug 374318 SUSE bug 374323 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the fbShmPutImage function in the MIT-SHM extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to read arbitrary process memory via crafted values for a Pixmap width and height. Moderate CVE-2008-1379 SUSE bug 374318 SUSE bug 374320 SUSE Linux Enterprise Server 11 SP3 Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow. Moderate CVE-2008-1419 SUSE bug 372246 SUSE Linux Enterprise Server 11 SP3 Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow. Moderate CVE-2008-1420 SUSE bug 372246 SUSE Linux Enterprise Server 11 SP3 Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow. Critical CVE-2008-1423 SUSE bug 372246 SUSE Linux Enterprise Server 11 SP3 The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." Moderate CVE-2008-1447 SUSE bug 396963 SUSE bug 411761 SUSE bug 415678 SUSE bug 423234 SUSE bug 426515 SUSE bug 465294 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. Moderate CVE-2008-1483 SUSE bug 1069509 SUSE bug 373527 SUSE bug 647633 SUSE bug 706386 SUSE Linux Enterprise Server 11 SP3 GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs." Critical CVE-2008-1530 SUSE bug 374254 SUSE Linux Enterprise Server 11 SP3 ImageIO in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch 1.1 through 2.1 allow remote attackers to cause a denial of service (memory consumption and device reset) via a crafted TIFF image. Important CVE-2008-1586 SUSE bug 444079 SUSE Linux Enterprise Server 11 SP3 Format string vulnerability in the grant helper (polkit-grant-helper.c) in PolicyKit 0.7 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in a password. Moderate CVE-2008-1658 SUSE bug 375832 SUSE Linux Enterprise Server 11 SP3 Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain "re-ordered access to the descriptor table." Moderate CVE-2008-1669 SUSE bug 387055 SUSE Linux Enterprise Server 11 SP3 start_kdeinit in KDE 3.5.5 through 3.5.9, when installed setuid root, allows local users to cause a denial of service and possibly execute arbitrary code via "user-influenceable input" (probably command-line arguments) that cause start_kdeinit to send SIGUSR1 signals to other processes. Moderate CVE-2008-1671 SUSE bug 382618 SUSE Linux Enterprise Server 11 SP3 OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which triggers a NULL pointer dereference. Low CVE-2008-1672 SUSE bug 394317 SUSE bug 404511 SUSE Linux Enterprise Server 11 SP3 The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and 2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules; and (b) the gxsnmp package; does not properly validate length values during decoding of ASN.1 BER data, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a length greater than the working buffer, which can lead to an unspecified overflow; (2) an oid length of zero, which can lead to an off-by-one error; or (3) an indefinite length for a primitive encoding. Critical CVE-2008-1673 SUSE bug 397347 SUSE bug 415690 SUSE Linux Enterprise Server 11 SP3 The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in Linux kernel 2.6.x before 2.6.25.1 does not properly check certain information related to register size, which has unspecified impact and local attack vectors, probably related to reading or writing kernel memory. Important CVE-2008-1675 SUSE bug 381887 SUSE Linux Enterprise Server 11 SP3 Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm. Moderate CVE-2008-1678 SUSE bug 392096 SUSE bug 422464 SUSE bug 566238 SUSE Linux Enterprise Server 11 SP3 Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer. Critical CVE-2008-1686 SUSE bug 377602 SUSE bug 379098 SUSE Linux Enterprise Server 11 SP3 The CairoFont::create function in CairoFontEngine.cc in Poppler, possibly before 0.8.0, as used in Xpdf, Evince, ePDFview, KWord, and other applications, does not properly handle embedded fonts in PDF files, which allows remote attackers to execute arbitrary code via a crafted font object, related to dereferencing a function pointer associated with the type of this font object. Moderate CVE-2008-1693 SUSE bug 377838 SUSE bug 377872 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow. Important CVE-2008-1721 SUSE bug 379044 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in (1) filter/image-png.c and (2) filter/image-zoom.c in CUPS 1.3 allow attackers to cause a denial of service (crash) and trigger memory corruption, as demonstrated via a crafted PNG image. Moderate CVE-2008-1722 SUSE bug 378335 SUSE bug 448631 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in pattern.c in libxslt before 1.1.24 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XSL style sheet file with a long XSLT "transformation match" condition that triggers a large number of steps. Important CVE-2008-1767 SUSE bug 391920 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add. Moderate CVE-2008-1947 SUSE bug 396962 SUSE bug 427726 SUSE Linux Enterprise Server 11 SP3 The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1. Critical CVE-2008-1948 SUSE bug 392947 SUSE bug 670152 SUSE Linux Enterprise Server 11 SP3 The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2. Critical CVE-2008-1949 SUSE bug 392947 SUSE bug 670152 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3. Moderate CVE-2008-1950 SUSE bug 392947 SUSE bug 670152 SUSE Linux Enterprise Server 11 SP3 MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future. Moderate CVE-2008-2079 SUSE bug 387746 SUSE bug 425079 SUSE bug 497546 SUSE bug 557669 SUSE Linux Enterprise Server 11 SP3 OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN. Moderate CVE-2008-2235 SUSE bug 413496 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031. Important CVE-2008-2315 SUSE bug 406051 SUSE bug 443653 SUSE Linux Enterprise Server 11 SP3 Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to "partial hashlib hashing of data exceeding 4GB." Important CVE-2008-2316 SUSE bug 406051 SUSE Linux Enterprise Server 11 SP3 Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code. Moderate CVE-2008-2327 SUSE bug 414946 SUSE bug 518698 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the AllocateGlyph function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to execute arbitrary code via unspecified request fields that are used to calculate a heap buffer size, which triggers a heap-based buffer overflow. Critical CVE-2008-2360 SUSE bug 374321 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ProcRenderCreateCursor function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to cause a denial of service (daemon crash) via unspecified request fields that are used to calculate a glyph buffer size, which triggers a dereference of unmapped memory. Moderate CVE-2008-2361 SUSE bug 374321 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in the Render extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via a (1) SProcRenderCreateLinearGradient, (2) SProcRenderCreateRadialGradient, or (3) SProcRenderCreateConicalGradient request with an invalid field specifying the number of bytes to swap in the request data, which triggers heap memory corruption. Critical CVE-2008-2362 SUSE bug 374321 SUSE Linux Enterprise Server 11 SP3 The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. Moderate CVE-2008-2364 SUSE bug 408832 SUSE bug 422464 SUSE bug 443824 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. Moderate CVE-2008-2370 SUSE bug 414657 SUSE bug 415697 SUSE bug 417217 SUSE bug 427726 SUSE bug 509839 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a regular expression that begins with an option and contains multiple branches. Important CVE-2008-2371 SUSE bug 400013 SUSE Linux Enterprise Server 11 SP3 The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message. Moderate CVE-2008-2382 SUSE bug 461565 SUSE bug 464142 SUSE Linux Enterprise Server 11 SP3 CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. Critical CVE-2008-2383 SUSE bug 462917 SUSE Linux Enterprise Server 11 SP3 libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to cause a denial of service via a crafted Petite file that triggers an out-of-bounds read. Moderate CVE-2008-2713 SUSE bug 399302 SUSE bug 406994 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version. Moderate CVE-2008-2938 SUSE bug 417217 SUSE bug 427726 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. Moderate CVE-2008-2939 SUSE bug 210904 SUSE bug 415061 SUSE bug 422464 SUSE Linux Enterprise Server 11 SP3 The Page destructor in Page.cc in libpoppler in Poppler 0.8.4 and earlier deletes a pageWidgets object even if it is not initialized by a Page constructor, which allows remote attackers to execute arbitrary code via a crafted PDF document. Important CVE-2008-2950 SUSE bug 404955 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platforms allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a long string that leads to incorrect memory allocation during Unicode string processing, related to the unicode_resize function and the PyMem_RESIZE macro. Important CVE-2008-3142 SUSE bug 406051 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in Python before 2.5.2 might allow context-dependent attackers to have an unknown impact via vectors related to (1) Include/pymem.h; (2) _csv.c, (3) _struct.c, (4) arraymodule.c, (5) audioop.c, (6) binascii.c, (7) cPickle.c, (8) cStringIO.c, (9) cjkcodecs/multibytecodec.c, (10) datetimemodule.c, (11) md5.c, (12) rgbimgmodule.c, and (13) stropmodule.c in Modules/; (14) bufferobject.c, (15) listobject.c, and (16) obmalloc.c in Objects/; (17) Parser/node.c; and (18) asdl.c, (19) ast.c, (20) bltinmodule.c, and (21) compile.c in Python/, as addressed by "checks for integer overflows, contributed by Google." Moderate CVE-2008-3143 SUSE bug 406051 SUSE bug 444989 SUSE bug 609759 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in the PyOS_vsnprintf function in Python/mysnprintf.c in Python 2.5.2 and earlier allow context-dependent attackers to cause a denial of service (memory corruption) or have unspecified other impact via crafted input to string formatting operations. NOTE: the handling of certain integer values is also affected by related integer underflows and an off-by-one error. Moderate CVE-2008-3144 SUSE bug 406051 SUSE Linux Enterprise Server 11 SP3 Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse program in refix/lib/, related to an incorrect RPATH setting in the ELF header. Moderate CVE-2008-3277 SUSE bug 747981 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf. Moderate CVE-2008-3522 SUSE bug 392410 SUSE Linux Enterprise Server 11 SP3 The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries. Moderate CVE-2008-3528 SUSE bug 427244 SUSE Linux Enterprise Server 11 SP3 The Hewlett-Packard Graphics Language (HPGL) filter in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via crafted pen width and pen color opcodes that overwrite arbitrary memory. Moderate CVE-2008-3641 SUSE bug 430543 SUSE Linux Enterprise Server 11 SP3 src/racoon/handler.c in racoon in ipsec-tools does not remove an "orphaned ph1" (phase 1) handle when it has been initiated remotely, which allows remote attackers to cause a denial of service (resource consumption). Important CVE-2008-3652 SUSE bug 416906 SUSE bug 434748 SUSE Linux Enterprise Server 11 SP3 neon 0.28.0 through 0.28.2 allows remote servers to cause a denial of service (NULL pointer dereference and crash) via vectors related to Digest authentication, Digest domain parameter support, and the parse_domain function. Moderate CVE-2008-3746 SUSE bug 419075 SUSE Linux Enterprise Server 11 SP3 Samba 3.2.0 uses weak permissions (0666) for the (1) group_mapping.tdb and (2) group_mapping.ldb files, which allows local users to modify the membership of Unix groups. Moderate CVE-2008-3789 SUSE bug 420634 SUSE Linux Enterprise Server 11 SP3 The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion." Moderate CVE-2008-3790 SUSE bug 420084 SUSE Linux Enterprise Server 11 SP3 pam_krb5 2.2.14 in Red Hat Enterprise Linux (RHEL) 5 and earlier, when the existing_ticket option is enabled, uses incorrect privileges when reading a Kerberos credential cache, which allows local users to gain privileges by setting the KRB5CCNAME environment variable to an arbitrary cache filename and running the (1) su or (2) sudo program. NOTE: there may be a related vector involving sshd that has limited relevance. Moderate CVE-2008-3825 SUSE bug 425861 SUSE Linux Enterprise Server 11 SP3 The i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel 2.6.24 on Debian GNU/Linux and (2) sys/dev/pci/drm/i915_drv.c in OpenBSD does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration. Important CVE-2008-3831 SUSE bug 429919 SUSE Linux Enterprise Server 11 SP3 The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error. Moderate CVE-2008-3834 SUSE bug 432901 SUSE bug 495804 SUSE bug 659934 SUSE Linux Enterprise Server 11 SP3 feedWriter in Mozilla Firefox before 2.0.0.17 allows remote attackers to execute scripts with chrome privileges via vectors related to feed preview and the (1) elem.doCommand, (2) elem.dispatchEvent, (3) _setTitleText, (4) _setTitleImage, and (5) _initSubscriptionUI functions. Important CVE-2008-3836 SUSE bug 429179 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command. Moderate CVE-2008-3863 SUSE bug 433756 SUSE bug 462353 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the strip_escapes function in signal.c in GNU ed before 1.0 allows context-dependent or user-assisted attackers to execute arbitrary code via a long filename. NOTE: since ed itself does not typically run with special privileges, this issue only crosses privilege boundaries when ed is invoked as a third-party component. Critical CVE-2008-3916 SUSE bug 421849 SUSE bug 474587 SUSE Linux Enterprise Server 11 SP3 Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c. Moderate CVE-2008-3964 SUSE bug 424739 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and (1) a zero value of the "this" variable in the nsContentList::Item function; (2) interaction of the indic IME extension, a Hindi language selection, and the "g" character; and (3) interaction of the nsFrameList::SortByContentOrder function with a certain insufficient protection of inline frames. Critical CVE-2008-4063 SUSE bug 429179 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to graphics rendering and (1) handling of a long alert messagebox in the cairo_surface_set_device_offset function, (2) integer overflows when handling animated PNG data in the info_callback function in nsPNGDecoder.cpp, and (3) an integer overflow when handling SVG data in the nsSVGFEGaussianBlurElement::SetupPredivide function in nsSVGFilters.cpp. Critical CVE-2008-4064 SUSE bug 429179 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long header in a news article, related to "canceling [a] newsgroup message" and "cancelled newsgroup messages." Critical CVE-2008-4070 SUSE bug 429179 SUSE Linux Enterprise Server 11 SP3 GNU adns 1.4 and earlier uses a fixed source port and sequential transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. NOTE: the vendor reports that this is intended behavior and is compatible with the product's intended role in a trusted environment. Moderate CVE-2008-4100 SUSE bug 426515 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document. Important CVE-2008-4225 SUSE bug 445677 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document. Critical CVE-2008-4226 SUSE bug 441368 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in enscript before 1.6.4 has unknown impact and attack vectors, possibly related to the font escape sequence. Moderate CVE-2008-4306 SUSE bug 433756 SUSE bug 462353 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. Moderate CVE-2008-4309 SUSE bug 440950 SUSE bug 514709 SUSE Linux Enterprise Server 11 SP3 The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply. Moderate CVE-2008-4311 SUSE bug 443307 SUSE Linux Enterprise Server 11 SP3 smbd in Samba 3.0.29 through 3.2.4 might allow remote attackers to read arbitrary memory and cause a denial of service via crafted (1) trans, (2) trans2, and (3) nttrans requests, related to a "cut&paste error" that causes an improper bounds check to be performed. Important CVE-2008-4314 SUSE bug 446971 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow context-dependent attackers to execute arbitrary code via a long string that is converted either (1) from or (2) to a base64 representation. Moderate CVE-2008-4316 SUSE bug 382708 SUSE bug 449927 SUSE bug 475541 SUSE Linux Enterprise Server 11 SP3 libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities definitions" in entities, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash), as demonstrated by use of xmllint on a certain XML document, a different vulnerability than CVE-2003-1564 and CVE-2008-3281. Moderate CVE-2008-4409 SUSE bug 432486 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in the command-line client in MySQL 5.0.26 through 5.0.45, and other versions including versions later than 5.0.45, when the --html option is enabled, allows attackers to inject arbitrary web script or HTML by placing it in a database cell, which might be accessed by this client when composing an HTML document. NOTE: as of 20081031, the issue has not been fixed in MySQL 5.0.67. Low CVE-2008-4456 SUSE bug 497546 SUSE bug 604528 SUSE Linux Enterprise Server 11 SP3 freeradius-dialupadmin in freeradius 2.0.4 allows local users to overwrite arbitrary files via a symlink attack on temporary files in (1) backup_radacct, (2) clean_radacct, (3) monthly_tot_stats, (4) tot_stats, and (5) truncate_radacct. Important CVE-2008-4474 SUSE bug 433762 SUSE Linux Enterprise Server 11 SP3 faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp.##### temporary file. Moderate CVE-2008-4936 SUSE bug 442596 SUSE Linux Enterprise Server 11 SP3 The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN). Moderate CVE-2008-4989 SUSE bug 392947 SUSE bug 441856 SUSE bug 467911 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in src/src_sinc.c in Secret Rabbit Code (aka SRC or libsamplerate) before 0.1.4, when "extreme low conversion ratios" are used, allows user-assisted attackers to have an unknown impact via a crafted audio file. Critical CVE-2008-5008 SUSE bug 443794 SUSE Linux Enterprise Server 11 SP3 OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. Moderate CVE-2008-5077 SUSE bug 459468 SUSE bug 465675 SUSE bug 465676 SUSE bug 468866 SUSE bug 470968 SUSE bug 475108 SUSE bug 552497 SUSE bug 629905 SUSE bug 708266 SUSE Linux Enterprise Server 11 SP3 net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table. Moderate CVE-2008-5079 SUSE bug 450417 SUSE Linux Enterprise Server 11 SP3 The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure. Moderate CVE-2008-5081 SUSE bug 459007 SUSE bug 646961 SUSE Linux Enterprise Server 11 SP3 Multiple methods in libvirt 0.3.2 through 0.5.1 do not check if a connection is read-only, which allows local users to bypass intended access restrictions and perform administrative actions. Moderate CVE-2008-5086 SUSE bug 459009 SUSE Linux Enterprise Server 11 SP3 syslog-ng does not call chdir when it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. Critical CVE-2008-5110 SUSE bug 445912 SUSE Linux Enterprise Server 11 SP3 passwdehd in libpam-mount 0.43 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/passwdehd.##### temporary file. Moderate CVE-2008-5138 SUSE bug 465303 SUSE Linux Enterprise Server 11 SP3 The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount. Important CVE-2008-5182 SUSE bug 446973 SUSE Linux Enterprise Server 11 SP3 Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029. Moderate CVE-2008-5300 SUSE bug 449739 SUSE Linux Enterprise Server 11 SP3 Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier accepts UTF-8 encodings that are not the "shortest" form, which makes it easier for attackers to bypass protection mechanisms for other applications that rely on shortest-form UTF-8 encodings. Important CVE-2008-5351 SUSE bug 456770 SUSE bug 465624 SUSE bug 471829 SUSE bug 496004 SUSE bug 603283 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. Moderate CVE-2008-5515 SUSE bug 509839 SUSE bug 575083 SUSE Linux Enterprise Server 11 SP3 The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers. Moderate CVE-2008-5519 SUSE bug 493575 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended. Important CVE-2008-5714 SUSE bug 462502 SUSE bug 464141 SUSE Linux Enterprise Server 11 SP3 The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. NOTE: some sources incorrectly report this as a double free vulnerability. Moderate CVE-2008-5907 SUSE bug 467308 SUSE bug 608040 SUSE Linux Enterprise Server 11 SP3 The Math.random function in the JavaScript implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, uses a random number generator that is seeded only once per browser session, which makes it easier for remote attackers to track a user, or trick a user into acting upon a spoofed pop-up message, by calculating the seed value, related to a "temporary footprint" and an "in-session phishing attack." Low CVE-2008-5913 SUSE bug 468762 SUSE bug 603356 SUSE Linux Enterprise Server 11 SP3 The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2.1, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to "source/destination IP address confusion." Moderate CVE-2008-6123 SUSE bug 475532 SUSE Linux Enterprise Server 11 SP3 Memory leak in the png_handle_tEXt function in pngrutil.c in libpng before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file. Important CVE-2008-6218 SUSE bug 475533 SUSE bug 854395 SUSE Linux Enterprise Server 11 SP3 sql/sql_table.cc in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41, and 6.0 before 6.0.9-alpha, when the data home directory contains a symlink to a different filesystem, allows remote authenticated users to bypass intended access restrictions by calling CREATE TABLE with a (1) DATA DIRECTORY or (2) INDEX DIRECTORY argument referring to a subdirectory that requires following this symlink. Moderate CVE-2008-7247 SUSE bug 557669 SUSE bug 604528 SUSE Linux Enterprise Server 11 SP3 Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows remote authenticated users to access the root filesystem via a crafted connection request that specifies a blank share name. Moderate CVE-2009-0022 SUSE bug 460764 SUSE Linux Enterprise Server 11 SP3 The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly sign extended when sent from a user-mode application, but cannot verify this, which allows local users to cause a denial of service (crash) or possibly gain privileges via a crafted system call. Important CVE-2009-0029 SUSE bug 466015 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header. Moderate CVE-2009-0033 SUSE bug 509839 SUSE bug 509840 SUSE Linux Enterprise Server 11 SP3 The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL. Moderate CVE-2009-0037 SUSE bug 475103 SUSE bug 527990 SUSE Linux Enterprise Server 11 SP3 The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables. Moderate CVE-2009-0040 SUSE bug 472745 SUSE bug 478625 SUSE bug 608040 SUSE Linux Enterprise Server 11 SP3 International Components for Unicode (ICU) 4.0, 3.6, and other 3.x versions, as used in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Fedora 9 and 10, and possibly other operating systems, does not properly handle invalid byte sequences during Unicode conversion, which might allow remote attackers to conduct cross-site scripting (XSS) attacks. Moderate CVE-2009-0153 SUSE bug 508070 SUSE bug 539839 SUSE bug 585717 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. Moderate CVE-2009-0159 SUSE bug 484653 SUSE bug 501632 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and earlier allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a crafted TIFF image, which is not properly handled by the (1) _cupsImageReadTIFF function in the imagetops filter and (2) imagetoraster filter, leading to a heap-based buffer overflow. Moderate CVE-2009-0163 SUSE bug 485895 SUSE Linux Enterprise Server 11 SP3 Integer overflow in libsndfile 1.0.18, as used in Winamp and other products, allows context-dependent attackers to execute arbitrary code via crafted description chunks in a CAF audio file, leading to a heap-based buffer overflow. Critical CVE-2009-0186 SUSE bug 481769 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in Ghostscript 8.64, and probably earlier versions, allows remote attackers to execute arbitrary code via a PDF file with a JBIG2 symbol dictionary segment with a large run length value. Moderate CVE-2009-0196 SUSE bug 489622 SUSE bug 491897 SUSE bug 492765 SUSE Linux Enterprise Server 11 SP3 The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. Important CVE-2009-0217 SUSE bug 514421 SUSE bug 521184 SUSE bug 521564 SUSE bug 530661 SUSE bug 530708 SUSE bug 530717 SUSE bug 548655 SUSE bug 561859 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and destruction of arbitrary layout objects by the nsViewManager::Composite function. Important CVE-2009-0352 SUSE bug 470074 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine. Important CVE-2009-0353 SUSE bug 470074 SUSE Linux Enterprise Server 11 SP3 Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function. Moderate CVE-2009-0354 SUSE bug 470074 SUSE Linux Enterprise Server 11 SP3 components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element. Moderate CVE-2009-0355 SUSE bug 470074 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. Moderate CVE-2009-0356 SUSE bug 470074 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. Moderate CVE-2009-0357 SUSE bug 470074 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request. Low CVE-2009-0358 SUSE bug 470074 SUSE Linux Enterprise Server 11 SP3 nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an incorrect deny setting, which allows local users to discover (1) network connection passwords and (2) pre-shared keys via calls to the GetSecrets method in the dbus request handler. Moderate CVE-2009-0365 SUSE bug 478080 SUSE bug 479566 SUSE Linux Enterprise Server 11 SP3 OpenSC before 0.11.7 allows physically proximate attackers to bypass intended PIN requirements and read private data objects via a (1) low level APDU command or (2) debugging tool, as demonstrated by reading the 4601 or 4701 file with the opensc-explorer or opensc-tool program. Moderate CVE-2009-0368 SUSE bug 480262 SUSE bug 548555 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers to execute arbitrary code via crafted Composition Time To Sample (ctts) atom data in a malformed QuickTime media .mov file. Moderate CVE-2009-0386 SUSE bug 469336 SUSE Linux Enterprise Server 11 SP3 Array index error in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted Sync Sample (aka stss) atom data in a malformed QuickTime media .mov file, related to "mark keyframes." Moderate CVE-2009-0387 SUSE bug 469336 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the qtdemux_parse_samples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka gst-plugins-good) 0.10.9 through 0.10.11, and GStreamer Plug-ins (aka gstreamer-plugins) 0.8.5, might allow remote attackers to execute arbitrary code via crafted Time-to-sample (aka stts) atom data in a malformed QuickTime media .mov file. Moderate CVE-2009-0397 SUSE bug 469336 SUSE Linux Enterprise Server 11 SP3 Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allows remote attackers to cause a denial of service via an HTTP request with an invalid version number, which triggers a reachable assertion in (1) HttpMsg.c and (2) HttpStatusLine.c. Moderate CVE-2009-0478 SUSE bug 472834 SUSE Linux Enterprise Server 11 SP3 GNOME NetworkManager before 0.7.0.99 does not properly verify privileges for dbus (1) modify and (2) delete requests, which allows local users to change or remove the network connections of arbitrary users via unspecified vectors related to org.freedesktop.NetworkManagerUserSettings and at_console. Moderate CVE-2009-0578 SUSE bug 478080 SUSE Linux Enterprise Server 11 SP3 Linux-PAM before 1.0.4 does not enforce the minimum password age (MINDAYS) as specified in /etc/shadow, which allows local users to bypass intended security policy and change their passwords sooner than specified. Moderate CVE-2009-0579 SUSE bug 481814 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter. Moderate CVE-2009-0580 SUSE bug 509839 SUSE Linux Enterprise Server 11 SP3 Memory leak in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted image file. Moderate CVE-2009-0581 SUSE bug 479606 SUSE bug 490610 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. Moderate CVE-2009-0583 SUSE bug 483303 SUSE bug 491897 SUSE bug 492765 SUSE Linux Enterprise Server 11 SP3 icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. Moderate CVE-2009-0584 SUSE bug 483303 SUSE bug 491897 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow. Moderate CVE-2009-0586 SUSE bug 481479 SUSE Linux Enterprise Server 11 SP3 The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. Moderate CVE-2009-0590 SUSE bug 459468 SUSE bug 489641 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid. Moderate CVE-2009-0591 SUSE bug 489641 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate. Moderate CVE-2009-0642 SUSE bug 478019 SUSE Linux Enterprise Server 11 SP3 The Internationalized Domain Names (IDN) blacklist in Mozilla Firefox 3.0.6 and other versions before 3.0.9; Thunderbird before 2.0.0.21; and SeaMonkey before 1.1.15 does not include box-drawing characters, which allows remote attackers to spoof URLs and conduct phishing attacks, as demonstrated by homoglyphs of the / (slash) and ? (question mark) characters in a subdomain of a .cn domain name, a different vulnerability than CVE-2005-0233. NOTE: some third parties claim that 3.0.6 is not affected, but much older versions perhaps are affected. Important CVE-2009-0652 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number. Important CVE-2009-0689 SUSE bug 522109 SUSE bug 545277 SUSE bug 546371 SUSE bug 557126 SUSE bug 557127 SUSE bug 557128 SUSE bug 557671 SUSE bug 590499 SUSE bug 607935 SUSE bug 851803 SUSE bug 958097 SUSE bug 963818 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. Important CVE-2009-0692 SUSE bug 515599 SUSE Linux Enterprise Server 11 SP3 The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009. Important CVE-2009-0696 SUSE bug 526185 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. Moderate CVE-2009-0723 SUSE bug 479606 SUSE bug 490610 SUSE Linux Enterprise Server 11 SP3 Multiple stack-based buffer overflows in the ReadSetOfCurves function in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file associated with a large integer value for the (1) input or (2) output channel, related to the ReadLUT_A2B and ReadLUT_B2A functions. Moderate CVE-2009-0733 SUSE bug 479606 SUSE bug 490610 SUSE Linux Enterprise Server 11 SP3 The FormWidgetChoice::loadDefaults function in Poppler before 0.10.4 allows remote attackers to cause a denial of service (crash) via a PDF file with an invalid Form Opt entry. Moderate CVE-2009-0755 SUSE bug 475556 SUSE bug 481795 SUSE Linux Enterprise Server 11 SP3 The JBIG2Stream::readSymbolDictSeg function in Poppler before 0.10.4 allows remote attackers to cause a denial of service (crash) via a PDF file that triggers a parsing error, which is not properly handled by JBIG2SymbolDict::~JBIG2SymbolDict and triggers an invalid memory dereference. Moderate CVE-2009-0756 SUSE bug 475556 SUSE bug 481795 SUSE bug 487100 SUSE Linux Enterprise Server 11 SP3 The originates_from_local_legacy_unicast_socket function in avahi-core/server.c in avahi-daemon 0.6.23 does not account for the network byte order of a port number when processing incoming multicast packets, which allows remote attackers to cause a denial of service (network bandwidth and CPU consumption) via a crafted legacy unicast mDNS query packet that triggers a multicast packet storm. Moderate CVE-2009-0758 SUSE bug 480865 SUSE Linux Enterprise Server 11 SP3 The layout engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption and assertion failures. Important CVE-2009-0771 SUSE bug 478625 SUSE Linux Enterprise Server 11 SP3 The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection, which triggers memory corruption. Important CVE-2009-0772 SUSE bug 478625 SUSE Linux Enterprise Server 11 SP3 The JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a splice of an array that contains "some non-set elements," which causes jsarray.cpp to pass an incorrect argument to the ResizeSlots function, which triggers memory corruption; (2) vectors related to js_DecompileValueGenerator, jsopcode.cpp, __defineSetter__, and watch, which triggers an assertion failure or a segmentation fault; and (3) vectors related to gczeal, __defineSetter__, and watch, which triggers a hang. Important CVE-2009-0773 SUSE bug 478625 SUSE Linux Enterprise Server 11 SP3 The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to gczeal, a different vulnerability than CVE-2009-0773. Important CVE-2009-0774 SUSE bug 478625 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to execute arbitrary code via "cloned XUL DOM elements which were linked as a parent and child," which are not properly handled during garbage collection. Important CVE-2009-0775 SUSE bug 478625 SUSE Linux Enterprise Server 11 SP3 nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect. Important CVE-2009-0776 SUSE bug 465291 SUSE bug 478625 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decode invisible characters when they are displayed in the location bar, which causes an incorrect address to be displayed and makes it easier for remote attackers to spoof URLs and conduct phishing attacks. Moderate CVE-2009-0777 SUSE bug 478625 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." Moderate CVE-2009-0781 SUSE bug 507806 SUSE bug 509839 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. Moderate CVE-2009-0783 SUSE bug 509839 SUSE bug 509840 SUSE Linux Enterprise Server 11 SP3 OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key. Important CVE-2009-0789 SUSE bug 459468 SUSE bug 489641 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in Xpdf 2.x and 3.x and Poppler 0.x, as used in the pdftops filter in CUPS 1.1.17, 1.1.22, and 1.3.7, GPdf, and kdegraphics KPDF, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file that triggers a heap-based buffer overflow, possibly related to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the JBIG2Stream.cxx vector may overlap CVE-2009-1179. Moderate CVE-2009-0791 SUSE bug 502061 SUSE bug 502974 SUSE bug 507102 SUSE bug 539875 SUSE bug 556049 SUSE bug 566697 SUSE bug 570183 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. NOTE: this issue exists because of an incomplete fix for CVE-2009-0583. Moderate CVE-2009-0792 SUSE bug 491897 SUSE bug 492765 SUSE bug 649207 SUSE Linux Enterprise Server 11 SP3 cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted image that triggers execution of incorrect code for "transformations of monochrome profiles." Moderate CVE-2009-0793 SUSE bug 490610 SUSE bug 521512 SUSE bug 521513 SUSE Linux Enterprise Server 11 SP3 ACPI Event Daemon (acpid) before 1.0.10 allows remote attackers to cause a denial of service (CPU consumption and connectivity loss) by opening a large number of UNIX sockets without closing them, which triggers an infinite loop. Moderate CVE-2009-0798 SUSE bug 491455 SUSE bug 588368 SUSE Linux Enterprise Server 11 SP3 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. Moderate CVE-2009-0799 SUSE bug 487100 SUSE Linux Enterprise Server 11 SP3 Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. Moderate CVE-2009-0800 SUSE bug 487100 SUSE Linux Enterprise Server 11 SP3 The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read. Moderate CVE-2009-0844 SUSE bug 486722 SUSE Linux Enterprise Server 11 SP3 The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token. Moderate CVE-2009-0845 SUSE bug 485894 SUSE bug 486722 SUSE Linux Enterprise Server 11 SP3 The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. Critical CVE-2009-0846 SUSE bug 486723 SUSE Linux Enterprise Server 11 SP3 The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka krb5) 1.6.3, when PK-INIT is used, allows remote attackers to cause a denial of service (application crash) via a crafted length value that triggers an erroneous malloc call, related to incorrect calculations with pointer arithmetic. Important CVE-2009-0847 SUSE bug 486722 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt. Moderate CVE-2009-0887 SUSE bug 482713 SUSE Linux Enterprise Server 11 SP3 Array index error in the insertItemBefore method in WebKit, as used in Apple Safari before 3.2.3 and 4 Public Beta, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome Stable before 1.0.154.65, and possibly other products allows remote attackers to execute arbitrary code via a document with a SVGPathList data structure containing a negative index in the (1) SVGTransformList, (2) SVGStringList, (3) SVGNumberList, (4) SVGPathSegList, (5) SVGPointList, or (6) SVGLengthList SVGList object, which triggers memory corruption. Moderate CVE-2009-0945 SUSE bug 512559 SUSE bug 515124 SUSE bug 541632 SUSE bug 601349 SUSE bug 644114 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c. Moderate CVE-2009-0946 SUSE bug 485889 SUSE bug 496289 SUSE bug 541626 SUSE Linux Enterprise Server 11 SP3 The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize memory for IPP request packets, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a scheduler request with two consecutive IPP_TAG_UNSUPPORTED tags. Moderate CVE-2009-0949 SUSE bug 503759 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.0.7 on Windows 7 allows remote attackers to execute arbitrary code via unknown vectors related to the _moveToEdgeShift XUL tree method, which triggers garbage collection on objects that are still in use, as demonstrated by Nils during a PWN2OWN competition at CanSecWest 2009. Important CVE-2009-1044 SUSE bug 465291 SUSE bug 488955 SUSE Linux Enterprise Server 11 SP3 The txMozillaXSLTProcessor::TransformToDoc function in Mozilla Firefox before 3.0.8 and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XML file with a crafted XSLT transform. Important CVE-2009-1169 SUSE bug 488955 SUSE bug 509766 SUSE bug 510964 SUSE bug 515951 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file. Moderate CVE-2009-1179 SUSE bug 487100 SUSE Linux Enterprise Server 11 SP3 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. Moderate CVE-2009-1180 SUSE bug 487100 SUSE Linux Enterprise Server 11 SP3 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. Moderate CVE-2009-1181 SUSE bug 487100 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. Moderate CVE-2009-1182 SUSE bug 487100 SUSE Linux Enterprise Server 11 SP3 The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file. Moderate CVE-2009-1183 SUSE bug 487100 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the JBIG2 decoding feature in Poppler before 0.10.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to CairoOutputDev (CairoOutputDev.cc). Moderate CVE-2009-1187 SUSE bug 487100 SUSE bug 508153 SUSE bug 508154 SUSE bug 539875 SUSE bug 566697 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the JBIG2 decoding feature in the SplashBitmap::SplashBitmap function in SplashBitmap.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.10.6, as used in GPdf and kdegraphics KPDF, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document. Moderate CVE-2009-1188 SUSE bug 487100 SUSE bug 508153 SUSE bug 508154 SUSE bug 539875 SUSE bug 546400 SUSE bug 566697 SUSE Linux Enterprise Server 11 SP3 The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834. Moderate CVE-2009-1189 SUSE bug 495804 SUSE bug 659934 SUSE Linux Enterprise Server 11 SP3 mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request. Moderate CVE-2009-1191 SUSE bug 521943 SUSE bug 539571 SUSE Linux Enterprise Server 11 SP3 The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file. Moderate CVE-2009-1195 SUSE bug 512583 SUSE bug 513080 SUSE bug 539571 SUSE Linux Enterprise Server 11 SP3 Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information. Moderate CVE-2009-1210 SUSE bug 491449 SUSE bug 493584 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. Moderate CVE-2009-1252 SUSE bug 501632 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.2 through 1.0.6, when running on Windows, allows remote attackers to cause a denial of service (crash) via unknown attack vectors. Moderate CVE-2009-1267 SUSE bug 493584 SUSE Linux Enterprise Server 11 SP3 The Check Point High-Availability Protocol (CPHAP) dissector in Wireshark 0.9.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted FWHA_MY_STATE packet. Low CVE-2009-1268 SUSE bug 493584 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Wireshark 0.99.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file. Low CVE-2009-1269 SUSE bug 493584 SUSE Linux Enterprise Server 11 SP3 The browser engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to (1) nsAsyncInstantiateEvent::Run, (2) nsStyleContext::Destroy, (3) nsComputedDOMStyle::GetWidth, (4) the xslt_attributeset_ImportSameName.html test case for the XSLT stylesheet compiler, (5) nsXULDocument::SynchronizeBroadcastListener, (6) IsBindingAncestor, (7) PL_DHashTableOperate and nsEditor::EndUpdateViewBatch, and (8) gfxSkipCharsIterator::SetOffsets, and other vectors. Important CVE-2009-1302 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 The browser engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors related to nsSVGElement::BindToTree. Important CVE-2009-1303 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 The JavaScript engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving (1) js_FindPropertyHelper, related to the definitions of Math and Date; and (2) js_CheckRedeclaration. Important CVE-2009-1304 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 The JavaScript engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger memory corruption via vectors involving JSOP_DEFVAR and properties that lack the JSPROP_PERMANENT attribute. Important CVE-2009-1305 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation. Moderate CVE-2009-1306 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml restrictions and connect to arbitrary web sites via a Flash file; (2) read, create, or modify Local Shared Objects via a Flash file; or (3) bypass unspecified restrictions and render content via vectors involving a jar: URI. Moderate CVE-2009-1307 SUSE bug 495473 SUSE bug 515951 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing. Moderate CVE-2009-1308 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2) XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via a crafted document. Moderate CVE-2009-1309 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before 3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SearchForm element. Low CVE-2009-1310 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-assisted remote attackers to obtain sensitive information via a web page with an embedded frame, which causes POST data from an outer page to be sent to the inner frame's URL during a SAVEMODE_FILEONLY save of the inner frame. Moderate CVE-2009-1311 SUSE bug 465291 SUSE bug 495473 SUSE bug 515951 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later reported that Firefox 3.6 a1 pre and Mozilla 1.7.x and earlier are also affected. Moderate CVE-2009-1312 SUSE bug 495473 SUSE Linux Enterprise Server 11 SP3 The nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameThebes.cpp in Mozilla Firefox 3.0.9 allows remote attackers to cause a denial of service (memory corruption) and probably execute arbitrary code via unspecified vectors. NOTE: this vulnerability reportedly exists because of an incorrect fix for CVE-2009-1302. Important CVE-2009-1313 SUSE bug 500909 SUSE bug 502062 SUSE Linux Enterprise Server 11 SP3 The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug." Moderate CVE-2009-1377 SUSE bug 459468 SUSE bug 504687 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak." Moderate CVE-2009-1378 SUSE bug 459468 SUSE bug 504687 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate. Moderate CVE-2009-1379 SUSE bug 459468 SUSE bug 504687 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello. Moderate CVE-2009-1386 SUSE bug 459468 SUSE bug 509031 SUSE bug 515659 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug." Moderate CVE-2009-1387 SUSE bug 459468 SUSE bug 509031 SUSE bug 515659 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-0689. Reason: This candidate is a duplicate of CVE-2009-0689. Certain codebase relationships were not originally clear. Notes: All CVE users should reference CVE-2009-0689 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Important CVE-2009-1563 SUSE bug 522109 SUSE bug 545277 SUSE bug 546371 SUSE bug 557126 SUSE bug 557127 SUSE bug 557128 SUSE bug 557671 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to execute arbitrary code via unspecified method calls that attempt to access freed objects in low-memory situations. Important CVE-2009-1571 SUSE bug 576969 SUSE bug 581160 SUSE bug 584499 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors that trigger heap-based buffer overflows, related to (1) the Imf::PreviewImage::PreviewImage function and (2) compressor constructors. NOTE: some of these details are obtained from third party information. Moderate CVE-2009-1720 SUSE bug 527538 SUSE bug 527539 SUSE Linux Enterprise Server 11 SP3 The decompression implementation in the Imf::hufUncompress function in OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger a free of an uninitialized pointer. Moderate CVE-2009-1721 SUSE bug 527538 SUSE bug 527539 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value. Moderate CVE-2009-1788 SUSE bug 504434 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an AIFF file with an invalid header value. Moderate CVE-2009-1791 SUSE bug 504434 SUSE Linux Enterprise Server 11 SP3 Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename. Critical CVE-2009-1886 SUSE bug 513360 SUSE bug 515479 SUSE Linux Enterprise Server 11 SP3 The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory. Low CVE-2009-1888 SUSE bug 513360 SUSE bug 515479 SUSE Linux Enterprise Server 11 SP3 The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests. Moderate CVE-2009-1890 SUSE bug 519194 SUSE Linux Enterprise Server 11 SP3 The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption). Moderate CVE-2009-1891 SUSE bug 521906 SUSE Linux Enterprise Server 11 SP3 dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and hardware ethernet configuration settings are both used, allows remote attackers to cause a denial of service (daemon crash) via unspecified requests. Moderate CVE-2009-1892 SUSE bug 519413 SUSE Linux Enterprise Server 11 SP3 The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. Moderate CVE-2009-1904 SUSE bug 511568 SUSE bug 580482 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in the (1) user_info_callback, (2) user_endrow_callback, and (3) gst_pngdec_task functions (ext/libpng/gstpngdec.c) in GStreamer Good Plug-ins (aka gst-plugins-good or gstreamer-plugins-good) 0.10.15 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted PNG file, which triggers a buffer overflow. Moderate CVE-2009-1932 SUSE bug 510292 SUSE Linux Enterprise Server 11 SP3 libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file. Moderate CVE-2009-2042 SUSE bug 514727 SUSE bug 608040 SUSE Linux Enterprise Server 11 SP3 Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327. Moderate CVE-2009-2285 SUSE bug 518698 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr. Moderate CVE-2009-2347 SUSE bug 519796 SUSE bug 616827 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information. Moderate CVE-2009-2412 SUSE bug 528714 SUSE bug 529591 SUSE bug 802057 SUSE Linux Enterprise Server 11 SP3 Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework. Important CVE-2009-2414 SUSE bug 528007 SUSE Linux Enterprise Server 11 SP3 Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework. Important CVE-2009-2416 SUSE bug 528007 SUSE Linux Enterprise Server 11 SP3 lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Moderate CVE-2009-2417 SUSE bug 527990 SUSE bug 528372 SUSE Linux Enterprise Server 11 SP3 Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information. Moderate CVE-2009-2446 SUSE bug 520608 SUSE bug 604528 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote SOCKS5 proxy servers to cause a denial of service (data stream corruption) via a long domain name in a reply. Moderate CVE-2009-2470 SUSE Linux Enterprise Server 11 SP3 neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. Moderate CVE-2009-2473 SUSE bug 528370 SUSE bug 532345 SUSE Linux Enterprise Server 11 SP3 neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Moderate CVE-2009-2474 SUSE bug 528370 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace and is processed by the (1) Bluetooth L2CAP, (2) RADIUS, or (3) MIOP dissector. NOTE: it was later reported that the RADIUS issue also affects 0.10.13 through 1.0.9. Moderate CVE-2009-2560 SUSE bug 523718 SUSE bug 550320 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the AFS dissector in Wireshark 0.9.2 through 1.2.0 allows remote attackers to cause a denial of service (crash) via unknown vectors. Moderate CVE-2009-2562 SUSE bug 523718 SUSE bug 540174 SUSE Linux Enterprise Server 11 SP3 The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive. NOTE: this issue is caused by a CVE-2006-4334 regression. Moderate CVE-2009-2624 SUSE bug 570331 SUSE bug 588113 SUSE Linux Enterprise Server 11 SP3 XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. Important CVE-2009-2625 SUSE bug 525562 SUSE bug 530717 SUSE bug 534025 SUSE bug 534721 SUSE bug 537969 SUSE bug 540945 SUSE bug 548655 SUSE bug 550664 SUSE bug 553220 SUSE bug 558892 SUSE bug 581162 SUSE bug 581765 SUSE bug 610080 SUSE bug 611931 SUSE bug 611932 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote attackers to spoof the address bar, and possibly conduct phishing attacks, via a crafted web page that calls window.open with an invalid character in the URL, makes document.write calls to the resulting object, and then calls the stop method during the loading of the error page. Moderate CVE-2009-2654 SUSE bug 527489 SUSE Linux Enterprise Server 11 SP3 libvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. Important CVE-2009-2663 SUSE bug 527489 SUSE bug 608192 SUSE Linux Enterprise Server 11 SP3 socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Moderate CVE-2009-2666 SUSE bug 528746 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry. Moderate CVE-2009-2693 SUSE bug 575083 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a denial of service (daemon hang) via unspecified HTTP requests, related to the prefork and event MPMs. Moderate CVE-2009-2699 SUSE bug 1078450 SUSE bug 1095150 SUSE Linux Enterprise Server 11 SP3 libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. Important CVE-2009-2730 SUSE bug 392947 SUSE bug 528372 SUSE Linux Enterprise Server 11 SP3 Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances involving user accounts that lack home directories. Moderate CVE-2009-2813 SUSE bug 515479 SUSE bug 539517 SUSE bug 543115 SUSE Linux Enterprise Server 11 SP3 The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues. Moderate CVE-2009-2820 SUSE bug 548317 SUSE bug 551563 SUSE bug 574336 SUSE Linux Enterprise Server 11 SP3 The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function. Moderate CVE-2009-2855 SUSE bug 525774 SUSE bug 577347 SUSE Linux Enterprise Server 11 SP3 The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests. Moderate CVE-2009-2901 SUSE bug 575083 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename. Moderate CVE-2009-2902 SUSE bug 575083 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and 0.52.2 allows local users to cause a denial of service (application crash) or possibly execute arbitrary code via a request to display a crafted text dialog box. Moderate CVE-2009-2905 SUSE bug 540930 SUSE Linux Enterprise Server 11 SP3 smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet. Moderate CVE-2009-2906 SUSE bug 515479 SUSE bug 543115 SUSE Linux Enterprise Server 11 SP3 SystemTap 1.0, when the --unprivileged option is used, does not properly restrict certain data sizes, which allows local users to (1) cause a denial of service or gain privileges via a print operation with a large number of arguments that trigger a kernel stack overflow, (2) cause a denial of service via crafted DWARF expressions that trigger a kernel stack frame overflow, or (3) cause a denial of service (infinite loop) via vectors that trigger creation of large unwind tables, related to Common Information Entry (CIE) and Call Frame Instruction (CFI) records. Moderate CVE-2009-2911 SUSE bug 548361 SUSE bug 574243 SUSE Linux Enterprise Server 11 SP3 mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option. Low CVE-2009-2948 SUSE bug 515479 SUSE bug 542150 SUSE bug 543115 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2009-3069 SUSE bug 534458 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2009-3070 SUSE bug 534458 SUSE bug 538290 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2009-3071 SUSE bug 534458 SUSE bug 538290 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 and 3.5.x before 3.5.3, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the BinHex decoder in netwerk/streamconv/converters/nsBinHexDecoder.cpp, and unknown vectors. Important CVE-2009-3072 SUSE bug 534458 SUSE bug 538290 SUSE bug 590499 SUSE bug 607935 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2009-3073 SUSE bug 534458 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the JavaScript engine in Mozilla Firefox before 3.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2009-3074 SUSE bug 538290 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 3.0.14 and 3.5.x before 3.5.2, Thunderbird before 2.0.0.24, and SeaMonkey before 1.1.19 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to use of mutable strings in the js_StringReplaceHelper function in js/src/jsstr.cpp, and unknown vectors. Moderate CVE-2009-3075 SUSE bug 534458 SUSE bug 538290 SUSE bug 590499 SUSE bug 607935 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a "dangling pointer vulnerability." Important CVE-2009-3077 SUSE bug 534458 SUSE bug 538290 SUSE bug 590499 SUSE bug 607935 SUSE Linux Enterprise Server 11 SP3 Visual truncation vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allows remote attackers to trigger a vertical scroll and spoof URLs via unspecified Unicode characters with a tall line-height property. Moderate CVE-2009-3078 SUSE bug 534458 SUSE bug 538290 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allows remote attackers to execute arbitrary JavaScript with chrome privileges via vectors involving an object, the FeedWriter, and the BrowserFeedWriter. Moderate CVE-2009-3079 SUSE bug 534458 SUSE bug 538290 SUSE Linux Enterprise Server 11 SP3 The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. Moderate CVE-2009-3094 SUSE bug 538322 SUSE Linux Enterprise Server 11 SP3 The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. Moderate CVE-2009-3095 SUSE bug 538322 SUSE Linux Enterprise Server 11 SP3 Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632. Moderate CVE-2009-3235 SUSE bug 539876 SUSE bug 539877 SUSE Linux Enterprise Server 11 SP3 OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors. Important CVE-2009-3245 SUSE bug 587379 SUSE bug 590833 SUSE bug 593560 SUSE bug 629905 SUSE bug 641950 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.6a1, 3.5.3, 3.5.2, and earlier 3.5.x versions, and 3.0.14 and earlier 2.x and 3.x versions, on Linux uses a predictable /tmp pathname for files selected from the Downloads window, which allows local users to replace an arbitrary downloaded file by placing a file in a /tmp location before the download occurs, related to the Download Manager component. NOTE: some of these details are obtained from third party information. Moderate CVE-2009-3274 SUSE bug 522109 SUSE bug 534458 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-0787, CVE-2010-0788, CVE-2010-0789. Reason: this candidate was intended for one issue in Samba, but it was used for multiple distinct issues, including one in FUSE and one in ncpfs. Notes: All CVE users should consult CVE-2010-0787 (Samba), CVE-2010-0788 (ncpfs), and CVE-2010-0789 (FUSE) to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. Low CVE-2009-3297 SUSE bug 550002 SUSE bug 550003 SUSE bug 550004 SUSE bug 577925 SUSE bug 583535 SUSE bug 583536 SUSE bug 594263 SUSE bug 620680 SUSE bug 651598 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.15, and 3.5.x before 3.5.4, allows remote attackers to read form history by forging mouse and keyboard events that leverage the auto-fill feature to populate form fields, in an attacker-readable form, with history entries. Moderate CVE-2009-3370 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by creating JavaScript web-workers recursively. Critical CVE-2009-3371 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via a crafted regular expression in a Proxy Auto-configuration (PAC) file. Moderate CVE-2009-3372 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the GIF image parser in Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, allows remote attackers to execute arbitrary code via unspecified vectors. Moderate CVE-2009-3373 SUSE bug 522109 SUSE bug 545277 SUSE bug 557686 SUSE Linux Enterprise Server 11 SP3 The XPCVariant::VariantDataToJS function in the XPCOM implementation in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 does not enforce intended restrictions on interaction between chrome privileged code and objects obtained from remote web sites, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via unspecified method calls, related to "doubly-wrapped objects." Important CVE-2009-3374 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 content/html/document/src/nsHTMLDocument.cpp in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allows user-assisted remote attackers to bypass the Same Origin Policy and read an arbitrary content selection via the document.getSelection function. Moderate CVE-2009-3375 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file. Low CVE-2009-3376 SUSE bug 522109 SUSE bug 545277 SUSE bug 590499 SUSE bug 607935 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in liboggz before cf5feeaab69b05e24, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2009-3377 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 The oggplay_data_handle_theora_frame function in media/liboggplay/src/liboggplay/oggplay_data.c in liboggplay, as used in Mozilla Firefox 3.5.x before 3.5.4, attempts to reuse an earlier frame data structure upon encountering a decoding error for the first frame, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a crafted .ogg video file. Critical CVE-2009-3378 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. NOTE: this might overlap CVE-2009-2663. Moderate CVE-2009-3379 SUSE bug 522109 SUSE bug 545277 SUSE bug 608192 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2009-3380 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2009-3381 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2009-3383 SUSE bug 522109 SUSE bug 545277 SUSE Linux Enterprise Server 11 SP3 liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before 2.0.1 might allow context-dependent attackers to cause a denial of service (application crash) or execute arbitrary code via unspecified vectors, related to "memory safety issues." Critical CVE-2009-3388 SUSE bug 559807 SUSE Linux Enterprise Server 11 SP3 Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used in Mozilla Firefox 3.5 before 3.5.6 and SeaMonkey before 2.0.1, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a video with large dimensions. Critical CVE-2009-3389 SUSE bug 559807 SUSE bug 581722 SUSE Linux Enterprise Server 11 SP3 packet-paltalk.c in the Paltalk dissector in Wireshark 1.2.0 through 1.2.2, on SPARC and certain other platforms, allows remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace. Moderate CVE-2009-3549 SUSE bug 550320 SUSE Linux Enterprise Server 11 SP3 The DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information. Low CVE-2009-3550 SUSE bug 550320 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. Moderate CVE-2009-3553 SUSE bug 554861 SUSE bug 574336 SUSE bug 578215 SUSE Linux Enterprise Server 11 SP3 The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue. Important CVE-2009-3555 SUSE bug 1077582 SUSE bug 459468 SUSE bug 552497 SUSE bug 553641 SUSE bug 554069 SUSE bug 554084 SUSE bug 554085 SUSE bug 555177 SUSE bug 557168 SUSE bug 564507 SUSE bug 566041 SUSE bug 584292 SUSE bug 586567 SUSE bug 586809 SUSE bug 588996 SUSE bug 590826 SUSE bug 592589 SUSE bug 594415 SUSE bug 604782 SUSE bug 614753 SUSE bug 622073 SUSE bug 623905 SUSE bug 629905 SUSE bug 642531 SUSE bug 646073 SUSE bug 646906 SUSE bug 648140 SUSE bug 648950 SUSE bug 659926 SUSE bug 670152 SUSE bug 704832 SUSE bug 728876 SUSE bug 729181 SUSE bug 753357 SUSE bug 791794 SUSE bug 799454 SUSE bug 815621 SUSE bug 979060 SUSE bug 986238 SUSE Linux Enterprise Server 11 SP3 The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720. Moderate CVE-2009-3560 SUSE bug 550666 SUSE bug 558892 SUSE bug 561561 SUSE bug 581162 SUSE bug 581765 SUSE bug 611931 SUSE bug 694595 SUSE bug 725950 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the create_surface_from_thumbnail_data function in glib/poppler-page.cc in Poppler 0.x allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. Critical CVE-2009-3607 SUSE bug 546393 SUSE bug 566697 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. Moderate CVE-2009-3608 SUSE bug 543090 SUSE bug 543410 SUSE bug 546400 SUSE bug 546404 SUSE bug 556049 SUSE bug 566697 SUSE Linux Enterprise Server 11 SP3 The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service (infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character. Moderate CVE-2009-3627 SUSE bug 550076 SUSE bug 585716 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote attackers to cause a denial of service (application hang or loss of blocking functionality) via a long URL with many / (slash) characters, related to "emergency mode." Moderate CVE-2009-3700 SUSE bug 550930 SUSE Linux Enterprise Server 11 SP3 The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625. Moderate CVE-2009-3720 SUSE bug 534721 SUSE bug 550664 SUSE bug 550666 SUSE bug 558892 SUSE bug 561561 SUSE bug 581162 SUSE bug 581765 SUSE bug 611931 SUSE bug 725950 SUSE Linux Enterprise Server 11 SP3 ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file. Moderate CVE-2009-3736 SUSE bug 556122 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the Ins_MINDEX function in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document that trigger an integer overflow and a heap-based buffer overflow. Moderate CVE-2009-3743 SUSE bug 635004 SUSE bug 774185 SUSE bug 939342 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in squidGuard 1.4 allow remote attackers to bypass intended URL blocking via a long URL, related to (1) the relationship between a certain buffer size in squidGuard and a certain buffer size in Squid and (2) a redirect URL that contains information about the originally requested URL. Moderate CVE-2009-3826 SUSE bug 550930 SUSE Linux Enterprise Server 11 SP3 Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file, related to an "unsigned integer wrap vulnerability." Moderate CVE-2009-3829 SUSE bug 553215 SUSE Linux Enterprise Server 11 SP3 The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file. Moderate CVE-2009-3939 SUSE bug 555173 SUSE bug 557180 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2009-3979 SUSE bug 559807 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2009-3980 SUSE bug 559807 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2009-3982 SUSE bug 559807 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user. Moderate CVE-2009-3983 SUSE bug 559807 SUSE bug 590499 SUSE bug 607935 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to spoof an SSL indicator for an http URL or a file URL by setting document.location to an https URL corresponding to a site that responds with a No Content (aka 204) status code and an empty body. Moderate CVE-2009-3984 SUSE bug 559807 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to associate spoofed content with an invalid URL by setting document.location to this URL, and then writing arbitrary web script or HTML to the associated blank document, a related issue to CVE-2009-2654. Moderate CVE-2009-3985 SUSE bug 559807 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values. Moderate CVE-2009-3988 SUSE bug 576969 SUSE bug 581160 SUSE bug 584499 SUSE Linux Enterprise Server 11 SP3 mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement. Low CVE-2009-4019 SUSE bug 557669 SUSE bug 604528 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. Important CVE-2009-4022 SUSE bug 558260 SUSE bug 570912 SUSE bug 644911 SUSE Linux Enterprise Server 11 SP3 The mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (panic) via a crafted Delete Block ACK (aka DELBA) packet, related to an erroneous "code shuffling patch." Important CVE-2009-4026 SUSE bug 558267 SUSE Linux Enterprise Server 11 SP3 Race condition in the mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-20091201 allows remote attackers to cause a denial of service (system crash) via a Delete Block ACK (aka DELBA) packet that triggers a certain state change in the absence of an aggregation session. Important CVE-2009-4027 SUSE bug 558267 SUSE Linux Enterprise Server 11 SP3 The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library. Moderate CVE-2009-4028 SUSE bug 557669 SUSE bug 604528 SUSE Linux Enterprise Server 11 SP3 MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079. Low CVE-2009-4030 SUSE bug 557669 SUSE bug 604528 SUSE Linux Enterprise Server 11 SP3 PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Low CVE-2009-4034 SUSE bug 564710 SUSE bug 603968 SUSE Linux Enterprise Server 11 SP3 The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel before 2.6.32-git6 allows local users to overwrite arbitrary files via a crafted request, related to insufficient checks for file permissions. Important CVE-2009-4131 SUSE bug 561018 SUSE bug 564380 SUSE Linux Enterprise Server 11 SP3 PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230. Moderate CVE-2009-4136 SUSE bug 564360 SUSE bug 603969 SUSE Linux Enterprise Server 11 SP3 drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field. Moderate CVE-2009-4138 SUSE bug 564712 SUSE Linux Enterprise Server 11 SP3 NetworkManager (NM) 0.7.2 does not ensure that the configured Certification Authority (CA) certificate file for a (1) WPA Enterprise or (2) 802.1x network remains present upon a connection attempt, which might allow remote attackers to obtain sensitive information or cause a denial of service (connectivity disruption) by spoofing the identity of a wireless network. Moderate CVE-2009-4144 SUSE bug 565549 SUSE Linux Enterprise Server 11 SP3 nm-connection-editor in NetworkManager (NM) 0.7.x exports connection objects over D-Bus upon actions in the connection editor GUI, which allows local users to obtain sensitive information by reading D-Bus signals, as demonstrated by using dbus-monitor to discover the password for the WiFi network. Moderate CVE-2009-4145 SUSE bug 565549 SUSE Linux Enterprise Server 11 SP3 Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3 through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid. Critical CVE-2009-4212 SUSE bug 561351 SUSE Linux Enterprise Server 11 SP3 stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request. Important CVE-2009-4273 SUSE bug 574243 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm before 10.47.07 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value. Moderate CVE-2009-4274 SUSE bug 579903 SUSE bug 588439 SUSE Linux Enterprise Server 11 SP3 Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678. Moderate CVE-2009-4355 SUSE bug 459468 SUSE bug 552497 SUSE bug 566238 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 The (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through 1.2.4 allow remote attackers to cause a denial of service (crash) via a crafted packet that triggers a NULL pointer dereference, as demonstrated by fuzz-2009-12-07-11141.pcap. Moderate CVE-2009-4377 SUSE bug 565902 SUSE bug 590352 SUSE Linux Enterprise Server 11 SP3 Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a. Important CVE-2009-4484 SUSE bug 567977 SUSE bug 604528 SUSE Linux Enterprise Server 11 SP3 WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. Moderate CVE-2009-4492 SUSE bug 570616 SUSE bug 580482 SUSE Linux Enterprise Server 11 SP3 drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385. Important CVE-2009-4536 SUSE bug 567376 SUSE Linux Enterprise Server 11 SP3 drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389. Important CVE-2009-4537 SUSE bug 567376 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets, a related issue to CVE-2009-4537. Moderate CVE-2009-4538 SUSE bug 567376 SUSE Linux Enterprise Server 11 SP3 The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, (5) float32_init, and (6) sds_read_header functions in libsndfile 1.0.20 allow context-dependent attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted audio file. Moderate CVE-2009-4835 SUSE bug 631379 SUSE Linux Enterprise Server 11 SP3 The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x before 5.1.50, when running in certain slave configurations in which the slave is running a newer version than the master, allows remote attackers to execute arbitrary SQL commands via custom comments. Moderate CVE-2009-5026 SUSE bug 726602 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd. Moderate CVE-2009-5029 SUSE bug 735850 SUSE bug 736174 SUSE bug 759836 SUSE bug 826666 SUSE bug 920055 SUSE Linux Enterprise Server 11 SP3 ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header. Moderate CVE-2009-5031 SUSE bug 768293 SUSE Linux Enterprise Server 11 SP3 Memory leak in the embedded_profile_len function in pngwutil.c in libpng before 1.2.39beta5 allows context-dependent attackers to cause a denial of service (memory leak or segmentation fault) via a JPEG image containing an iCCP chunk with a negative embedded profile length. NOTE: this is due to an incomplete fix for CVE-2006-7244. Moderate CVE-2009-5063 SUSE bug 680146 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959. Important CVE-2009-5138 SUSE bug 865993 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2009-5146 SUSE bug 915976 SUSE bug 919648 SUSE bug 922647 SUSE Linux Enterprise Server 11 SP3-TERADATA In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match. Moderate CVE-2009-5155 SUSE bug 1127223 SUSE Linux Enterprise Server 11 SP3 Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error. Important CVE-2010-0001 SUSE bug 570331 SUSE bug 588113 SUSE Linux Enterprise Server 11 SP3 Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/daemonout, (2) /tmp/puppetdoc.txt, (3) /tmp/puppetdoc.tex, or (4) /tmp/puppetdoc.aux temporary file. Moderate CVE-2010-0156 SUSE bug 585402 SUSE Linux Enterprise Server 11 SP3 The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors. Moderate CVE-2010-0159 SUSE bug 576969 SUSE bug 581160 SUSE bug 584499 SUSE Linux Enterprise Server 11 SP3 The Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly handle array data types for posted messages, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. Important CVE-2010-0160 SUSE bug 576969 SUSE bug 581160 SUSE bug 584499 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document. Moderate CVE-2010-0162 SUSE bug 576969 SUSE bug 581160 SUSE bug 584499 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the imgContainer::InternalAddFrameHelper function in src/imgContainer.cpp in libpr0n in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a multipart/x-mixed-replace animation in which the frames have different bits-per-pixel (bpp) values. Critical CVE-2010-0164 SUSE Linux Enterprise Server 11 SP3 The TraceRecorder::traverseScopeChain function in js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors involving certain indirect calls to the JavaScript eval function. Critical CVE-2010-0165 SUSE Linux Enterprise Server 11 SP3 The gfxTextRun::SanitizeGlyphRuns function in gfx/thebes/src/gfxFont.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 on Mac OS X, when the Core Text API is used, does not properly perform certain deletions, which allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via an HTML document containing invisible Unicode characters, as demonstrated by the U+FEFF, U+FFF9, U+FFFA, and U+FFFB characters. Moderate CVE-2010-0166 SUSE Linux Enterprise Server 11 SP3 The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors related to (1) layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in modules/plugin/base/src/nsNPAPIPlugin.cpp. Important CVE-2010-0167 SUSE Linux Enterprise Server 11 SP3 The nsDocument::MaybePreLoadImage function in content/base/src/nsDocument.cpp in the image-preloading implementation in Mozilla Firefox 3.6 before 3.6.2 does not apply scheme restrictions and policy restrictions to the image's URL, which might allow remote attackers to cause a denial of service (application crash or hang) or hijack the functionality of the browser's add-ons via a crafted SRC attribute of an IMG element, as demonstrated by remote command execution through an ssh: URL in a configuration that supports gnome-vfs with a nonstandard network.gnomevfs.supported-protocols setting. Important CVE-2010-0168 SUSE Linux Enterprise Server 11 SP3 The CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 changes the case of certain strings in a stylesheet before adding this stylesheet to the XUL cache, which might allow remote attackers to modify the browser's font and other CSS attributes, and potentially disrupt rendering of a web page, by forcing the browser to perform this erroneous stylesheet caching. Moderate CVE-2010-0169 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.6 before 3.6.2 does not offer plugins the expected window.location protection mechanism, which might allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors that are specific to each affected plugin. Moderate CVE-2010-0170 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allow remote attackers to perform cross-origin keystroke capture, and possibly conduct cross-site scripting (XSS) attacks, by using the addEventListener and setTimeout functions in conjunction with a wrapped object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-3736. Moderate CVE-2010-0171 SUSE Linux Enterprise Server 11 SP3 toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances. Moderate CVE-2010-0172 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2010-0173 SUSE bug 586567 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2010-0174 SUSE bug 586567 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsTreeSelection implementation in Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.9, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger a call to the handler for the select event for XUL tree items. Important CVE-2010-0175 SUSE bug 586567 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 do not properly manage reference counts for option elements in a XUL tree optgroup, which might allow remote attackers to execute arbitrary code via unspecified vectors that trigger access to deleted elements, related to a "dangling pointer vulnerability." Important CVE-2010-0176 SUSE bug 586567 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, frees the contents of the window.navigator.plugins array while a reference to an array element is still active, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors, related to a "dangling pointer vulnerability." Important CVE-2010-0177 SUSE bug 586567 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, does not prevent applets from interpreting mouse clicks as drag-and-drop actions, which allows remote attackers to execute arbitrary JavaScript with Chrome privileges by loading a chrome: URL and then loading a javascript: URL. Important CVE-2010-0178 SUSE bug 586567 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response. Moderate CVE-2010-0179 SUSE bug 586567 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, executes a mail application in situations where an IMG element has a SRC attribute that is a redirect to a mailto: URL, which allows remote attackers to cause a denial of service (excessive application launches) via an HTML document with many images. Moderate CVE-2010-0181 SUSE bug 586567 SUSE Linux Enterprise Server 11 SP3 The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not perform the expected nsIContentPolicy checks during loading of content by XML documents, which allows attackers to bypass intended access restrictions via crafted content. Moderate CVE-2010-0182 SUSE bug 586567 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsCycleCollector::MarkRoots function in Mozilla Firefox 3.5.x before 3.5.10 and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a crafted HTML document, related to an improper frame construction process for menus. Moderate CVE-2010-0183 SUSE bug 603356 SUSE bug 617399 SUSE Linux Enterprise Server 11 SP3 The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack. Moderate CVE-2010-0205 SUSE bug 580484 SUSE bug 585403 SUSE bug 608040 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553. Moderate CVE-2010-0302 SUSE bug 574336 SUSE bug 578215 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function. Moderate CVE-2010-0304 SUSE bug 565902 SUSE bug 590352 SUSE Linux Enterprise Server 11 SP3 lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header. Moderate CVE-2010-0308 SUSE bug 576087 SUSE bug 577347 SUSE Linux Enterprise Server 11 SP3 The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers. Moderate CVE-2010-0393 SUSE bug 574336 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file. Moderate CVE-2010-0405 SUSE bug 636978 SUSE bug 646682 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in the MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite before 1.5.4 allow local users to gain privileges via crafted message data, which is improperly demarshalled. Moderate CVE-2010-0407 SUSE bug 609317 SUSE bug 641823 SUSE Linux Enterprise Server 11 SP3 The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code. Moderate CVE-2010-0408 SUSE bug 586572 SUSE bug 601151 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the GMIME_UUENCODE_LEN macro in gmime/gmime-encodings.h in GMime before 2.4.15 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via input data for a uuencode operation. Moderate CVE-2010-0409 SUSE bug 576923 SUSE Linux Enterprise Server 11 SP3 gnome-screensaver before 2.28.2 allows physically proximate attackers to bypass screen locking and access an unattended workstation by moving the mouse position to an external monitor and then disconnecting that monitor. Important CVE-2010-0414 SUSE bug 577951 SUSE bug 579250 SUSE Linux Enterprise Server 11 SP3 The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set. Moderate CVE-2010-0415 SUSE bug 577753 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 gnome-screensaver 2.28.x before 2.28.3 does not properly synchronize the state of screen locking and the unlock dialog in situations involving a change to the number of monitors, which allows physically proximate attackers to bypass screen locking and access an unattended workstation by connecting and disconnecting monitors multiple times, a related issue to CVE-2010-0414. Moderate CVE-2010-0422 SUSE bug 577951 SUSE bug 579881 SUSE Linux Enterprise Server 11 SP3 The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) Vixie cron (vixie-cron) allows local users to change the modification times of arbitrary files, and consequently cause a denial of service, via a symlink attack on a temporary file in the /tmp directory. Moderate CVE-2010-0424 SUSE bug 579447 SUSE bug 580800 SUSE bug 589640 SUSE bug 590353 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers." Critical CVE-2010-0425 SUSE bug 1078450 SUSE bug 1095150 SUSE bug 586572 SUSE bug 601151 SUSE Linux Enterprise Server 11 SP3 sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory. Moderate CVE-2010-0426 SUSE bug 582555 SUSE bug 582556 SUSE bug 588501 SUSE Linux Enterprise Server 11 SP3 sudo 1.6.x before 1.6.9p21, when the runas_default option is used, does not properly set group memberships, which allows local users to gain privileges via a sudo command. Moderate CVE-2010-0427 SUSE bug 582555 SUSE Linux Enterprise Server 11 SP3 The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request. Low CVE-2010-0434 SUSE bug 586572 SUSE bug 601151 SUSE Linux Enterprise Server 11 SP3 Race condition in backend/ctrl.c in KDM in KDE Software Compilation (SC) 2.2.0 through 4.4.2 allows local users to change the permissions of arbitrary files, and consequently gain privileges, by blocking the removal of a certain directory that contains a control socket, related to improper interaction with ksm. Moderate CVE-2010-0436 SUSE bug 584223 SUSE Linux Enterprise Server 11 SP3 The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow." Moderate CVE-2010-0442 SUSE bug 574667 SUSE bug 588996 SUSE bug 648140 SUSE Linux Enterprise Server 11 SP3 Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, allows remote attackers to hijack the authentication of administrators for requests that change settings. Moderate CVE-2010-0540 SUSE bug 601830 SUSE bug 671735 SUSE bug 680210 SUSE bug 680212 SUSE bug 700987 SUSE bug 711490 SUSE bug 715643 SUSE bug 748422 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page. Moderate CVE-2010-0541 SUSE bug 600752 SUSE Linux Enterprise Server 11 SP3 The _WriteProlog function in texttops.c in texttops in the Text Filter subsystem in CUPS before 1.4.4 does not check the return values of certain calloc calls, which allows remote attackers to cause a denial of service (NULL pointer dereference or heap memory corruption) or possibly execute arbitrary code via a crafted file. Moderate CVE-2010-0542 SUSE bug 601352 SUSE bug 644521 SUSE bug 657780 SUSE Linux Enterprise Server 11 SP3 client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. Moderate CVE-2010-0547 SUSE bug 577868 SUSE bug 577925 SUSE bug 583535 SUSE bug 583536 SUSE bug 594263 SUSE bug 597421 SUSE bug 602694 SUSE bug 709819 SUSE Linux Enterprise Server 11 SP3 The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. Moderate CVE-2010-0622 SUSE bug 579439 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The futex_lock_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem. Moderate CVE-2010-0623 SUSE bug 579439 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. Moderate CVE-2010-0624 SUSE bug 579475 SUSE bug 608034 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number. Moderate CVE-2010-0629 SUSE bug 591049 SUSE Linux Enterprise Server 11 SP3 The htcpHandleTstRequest function in htcp.c in Squid 2.x before 2.6.STABLE24 and 2.7 before 2.7.STABLE8, and htcp.cc in 3.0 before 3.0.STABLE24, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted packets to the HTCP port. Moderate CVE-2010-0639 SUSE bug 587375 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 permit cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote attackers to obtain sensitive information via a crafted document. Moderate CVE-2010-0654 SUSE bug 583603 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 smbd in Samba 3.3.11, 3.4.6, and 3.5.0, when libcap support is enabled, runs with the CAP_DAC_OVERRIDE capability, which allows remote authenticated users to bypass intended file permissions via standard filesystem operations with any client. Important CVE-2010-0728 SUSE bug 586683 SUSE Linux Enterprise Server 11 SP3 The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of these details are obtained from third party information. Moderate CVE-2010-0740 SUSE bug 590833 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-3552. Reason: This candidate is a reservation duplicate of CVE-2010-3552. Notes: All CVE users should reference CVE-2010-3552 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Important CVE-2010-0771 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, 3.2.3, 3.3.2, 3.4.0, and 3.4.5 allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file. Moderate CVE-2010-0787 SUSE bug 550002 SUSE bug 602694 SUSE bug 620680 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Directory traversal vulnerability in the extract_jar function in jartool.c in FastJar 0.98 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in a non-initial pathname component in a filename within a .jar archive, a related issue to CVE-2005-1080. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-3619. Moderate CVE-2010-0831 SUSE bug 607043 SUSE bug 607762 SUSE bug 818591 SUSE Linux Enterprise Server 11 SP3 The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options. Moderate CVE-2010-0926 SUSE bug 1027147 SUSE bug 577868 SUSE bug 597421 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in KGet in KDE SC 4.0.0 through 4.4.3 allows remote attackers to create arbitrary files via directory traversal sequences in the name attribute of a file element in a metalink file. Important CVE-2010-1000 SUSE bug 604709 SUSE bug 687873 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the decompression functionality in the Web Open Fonts Format (WOFF) decoder in Mozilla Firefox 3.6 before 3.6.2 and 3.7 before 3.7 alpha 3 allows remote attackers to execute arbitrary code via a crafted WOFF file that triggers a buffer overflow, as demonstrated by the vd_ff module in VulnDisco 9.0. Critical CVE-2010-1028 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.6.x before 3.6.3 does not properly manage the scopes of DOM nodes that are moved from one document to another, which allows remote attackers to conduct use-after-free attacks and execute arbitrary code via unspecified vectors involving improper interaction with garbage collection, as demonstrated by Nils during a Pwn2Own competition at CanSecWest 2010. Important CVE-2010-1121 SUSE bug 603356 SUSE Linux Enterprise Server 11 SP3 The JavaScript implementation in Mozilla Firefox 3.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to send selected keystrokes to a form field in a hidden frame, instead of the intended form field in a visible frame, via certain calls to the focus method. Moderate CVE-2010-1125 SUSE bug 603356 SUSE Linux Enterprise Server 11 SP3 The Linux kernel 2.6.33.2 and earlier, when a ReiserFS filesystem exists, does not restrict read or write access to the .reiserfs_priv directory, which allows local users to gain privileges by modifying (1) extended attributes or (2) ACLs, as demonstrated by deleting a file under .reiserfs_priv/xattrs/. Moderate CVE-2010-1146 SUSE bug 593906 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply. Low CVE-2010-1157 SUSE bug 599554 SUSE bug 622188 SUSE bug 655440 SUSE Linux Enterprise Server 11 SP3 The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving implicitly called methods and implicitly blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD methods, related to "automagic methods." Moderate CVE-2010-1168 SUSE bug 605845 SUSE bug 605918 SUSE bug 605926 SUSE bug 605928 SUSE bug 634562 SUSE Linux Enterprise Server 11 SP3 PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447. Moderate CVE-2010-1169 SUSE bug 605926 SUSE bug 648140 SUSE Linux Enterprise Server 11 SP3 The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script. Moderate CVE-2010-1170 SUSE bug 605845 SUSE bug 605926 SUSE bug 634562 SUSE bug 648140 SUSE Linux Enterprise Server 11 SP3 DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services. Moderate CVE-2010-1172 SUSE bug 628607 SUSE bug 633621 SUSE bug 633622 SUSE bug 633623 SUSE bug 633629 SUSE bug 633637 SUSE bug 633639 SUSE bug 633648 SUSE bug 633652 SUSE bug 633653 SUSE bug 633654 SUSE bug 633658 SUSE bug 633660 SUSE bug 633678 SUSE bug 633679 SUSE bug 633681 SUSE bug 633682 SUSE bug 633685 SUSE bug 633686 SUSE bug 633700 SUSE bug 633701 SUSE bug 633702 SUSE Linux Enterprise Server 11 SP3 The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. Important CVE-2010-1173 SUSE bug 600375 SUSE bug 653148 SUSE bug 702025 SUSE bug 941110 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the nsGenericDOMDataNode::SetTextInternal function in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a DOM node with a long text value that triggers a heap-based buffer overflow. Important CVE-2010-1196 SUSE bug 603356 SUSE bug 617399 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, does not properly handle situations in which both "Content-Disposition: attachment" and "Content-Type: multipart" are present in HTTP headers, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an uploaded HTML document. Moderate CVE-2010-1197 SUSE bug 603356 SUSE bug 617399 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to execute arbitrary code via vectors involving multiple plugin instances. Important CVE-2010-1198 SUSE bug 603356 SUSE bug 617399 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a large text value for a node. Important CVE-2010-1199 SUSE bug 603356 SUSE bug 617399 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2010-1200 SUSE bug 603356 SUSE bug 617399 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.10, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2010-1201 SUSE bug 603356 SUSE bug 617399 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2010-1202 SUSE bug 603356 SUSE bug 617399 SUSE Linux Enterprise Server 11 SP3 The JavaScript engine in Mozilla Firefox 3.6.x before 3.6.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger an assertion failure in jstracer.cpp. Important CVE-2010-1203 SUSE bug 603356 SUSE bug 617399 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row. Important CVE-2010-1205 SUSE bug 617866 SUSE bug 622506 SUSE bug 639941 SUSE bug 854395 SUSE Linux Enterprise Server 11 SP3 The startDocumentLoad function in browser/base/content/browser.js in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, does not properly implement the Same Origin Policy in certain circumstances related to the about:blank document and a document that is currently loading, which allows (1) remote web servers to conduct spoofing attacks via vectors involving a 204 (aka No Content) status code, and allows (2) remote attackers to conduct spoofing attacks via vectors involving a window.stop call. Moderate CVE-2010-1206 SUSE bug 618183 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 do not properly implement read restrictions for CANVAS elements, which allows remote attackers to obtain sensitive cross-origin information via vectors involving reference retention and node deletion. Moderate CVE-2010-1207 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the attribute-cloning functionality in the DOM implementation in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to execute arbitrary code via vectors related to deletion of an event attribute node with a nonzero reference count. Important CVE-2010-1208 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the NodeIterator implementation in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to execute arbitrary code via a crafted NodeFilter that detaches DOM nodes, related to the NodeIterator interface and a javascript callback. Important CVE-2010-1209 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 intl/uconv/util/nsUnicodeDecodeHelper.cpp in Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 inserts a U+FFFD sequence into text in certain circumstances involving undefined positions, which might make it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted 8-bit text. Moderate CVE-2010-1210 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2010-1211 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) propagation of deep aborts in the TraceRecorder::record_JSOP_BINDNAME function, (2) depth handling in the TraceRecorder::record_JSOP_GETELEM function, and (3) tracing of out-of-range arguments in the TraceRecorder::record_JSOP_ARGSUB function. Important CVE-2010-1212 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 The importScripts Web Worker method in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 does not verify that content is valid JavaScript code, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted HTML document. Moderate CVE-2010-1213 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 Integer overflow in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to execute arbitrary code via plugin content with many parameter elements. Important CVE-2010-1214 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 do not properly implement access to a content object through a SafeJSObjectWrapper (aka SJOW) wrapper, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging "access to an object from the chrome scope." Important CVE-2010-1215 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing. Moderate CVE-2010-1321 SUSE bug 596826 SUSE bug 611090 SUSE bug 646073 SUSE bug 648950 SUSE bug 658525 SUSE bug 659926 SUSE bug 663953 SUSE bug 679560 SUSE Linux Enterprise Server 11 SP3 MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys. Moderate CVE-2010-1323 SUSE bug 650650 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file that triggers a heap-based buffer overflow. Moderate CVE-2010-1411 SUSE bug 605837 SUSE bug 612879 SUSE bug 616827 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function. Important CVE-2010-1437 SUSE bug 599955 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution. Moderate CVE-2010-1447 SUSE bug 605845 SUSE bug 605926 SUSE bug 605928 SUSE bug 634562 SUSE Linux Enterprise Server 11 SP3 The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. Moderate CVE-2010-1452 SUSE bug 627030 SUSE Linux Enterprise Server 11 SP3 The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0 through 1.2.7 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed packet trace file. Moderate CVE-2010-1455 SUSE bug 603251 SUSE Linux Enterprise Server 11 SP3 The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by the __VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project. Important CVE-2010-1459 SUSE bug 592428 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in libgdiplus 2.6.7, as used in Mono, allow attackers to execute arbitrary code via (1) a crafted TIFF file, related to the gdip_load_tiff_image function in tiffcodec.c; (2) a crafted JPEG file, related to the gdip_load_jpeg_image_internal function in jpegcodec.c; or (3) a crafted BMP file, related to the gdip_read_bmp_image function in bmpcodec.c, leading to heap-based buffer overflows. Important CVE-2010-1526 SUSE bug 630756 SUSE bug 643999 SUSE Linux Enterprise Server 11 SP3 The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element. Important CVE-2010-1585 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket. Moderate CVE-2010-1623 SUSE bug 650435 SUSE bug 693778 SUSE bug 725950 SUSE bug 997229 SUSE Linux Enterprise Server 11 SP3 MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247. Moderate CVE-2010-1626 SUSE bug 604528 SUSE bug 607466 SUSE Linux Enterprise Server 11 SP3 The chain_reply function in process.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) via a Negotiate Protocol request with a certain 0x0003 field value followed by a Session Setup AndX request with a certain 0x8003 field value. Moderate CVE-2010-1635 SUSE bug 605935 SUSE Linux Enterprise Server 11 SP3 The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request. Moderate CVE-2010-1641 SUSE bug 608576 SUSE Linux Enterprise Server 11 SP3 The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to trigger an out-of-bounds read, and cause a denial of service (process crash), via a \xff\xff security blob length in a Session Setup AndX request. Moderate CVE-2010-1642 SUSE bug 605935 SUSE Linux Enterprise Server 11 SP3 The extended-community parser in bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed Extended Communities attribute. Low CVE-2010-1674 SUSE bug 654270 SUSE bug 685558 SUSE Linux Enterprise Server 11 SP3 bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (session reset) via a malformed AS_PATHLIMIT path attribute. Moderate CVE-2010-1675 SUSE bug 654270 SUSE bug 685558 SUSE Linux Enterprise Server 11 SP3 openibd in OpenFabrics Enterprise Distribution (OFED) 1.5.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/ib_set_node_desc.sh temporary file. Moderate CVE-2010-1693 SUSE bug 648551 SUSE Linux Enterprise Server 11 SP3 The cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstrated by the (1) /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs. Moderate CVE-2010-1748 SUSE bug 601352 SUSE bug 604271 SUSE bug 644521 SUSE bug 649256 SUSE bug 657780 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name. Moderate CVE-2010-1848 SUSE bug 604528 SUSE bug 609551 SUSE Linux Enterprise Server 11 SP3 The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length. Moderate CVE-2010-1849 SUSE bug 604528 SUSE bug 609551 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name. Moderate CVE-2010-1850 SUSE bug 604528 SUSE bug 609551 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the parser function in GhostScript 8.70 and 8.64 allows context-dependent attackers to execute arbitrary code via a crafted PostScript file. Moderate CVE-2010-1869 SUSE bug 605043 SUSE bug 739737 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet. Important CVE-2010-2063 SUSE bug 611927 SUSE Linux Enterprise Server 11 SP3 The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor. Low CVE-2010-2066 SUSE bug 612457 SUSE Linux Enterprise Server 11 SP3 mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. Moderate CVE-2010-2068 SUSE bug 627030 SUSE bug 627387 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Moderate CVE-2010-2074 SUSE bug 609451 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function. Important CVE-2010-2225 SUSE bug 616232 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer." Moderate CVE-2010-2227 SUSE bug 622188 SUSE bug 655440 SUSE Linux Enterprise Server 11 SP3 The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. Important CVE-2010-2240 SUSE bug 1039348 SUSE bug 211997 SUSE bug 546062 SUSE bug 59807 SUSE bug 615929 SUSE bug 618152 SUSE bug 632737 SUSE bug 643986 SUSE bug 746947 SUSE bug 746949 SUSE Linux Enterprise Server 11 SP3 Red Hat libvirt 0.2.0 through 0.8.2 creates iptables rules with improper mappings of privileged source ports, which allows guest OS users to bypass intended access restrictions by leveraging IP address and source-port values, as demonstrated by copying and deleting an NFS directory tree. Moderate CVE-2010-2242 SUSE bug 618155 SUSE Linux Enterprise Server 11 SP3 Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks. Important CVE-2010-2249 SUSE bug 617866 SUSE bug 639941 SUSE bug 854395 SUSE Linux Enterprise Server 11 SP3 The cupsFileOpen function in CUPS before 1.4.4 allows local users, with lp group membership, to overwrite arbitrary files via a symlink attack on the (1) /var/cache/cups/remote.cache or (2) /var/cache/cups/job.cache file. Low CVE-2010-2431 SUSE bug 601830 SUSE bug 671735 SUSE bug 680210 SUSE bug 680212 SUSE bug 700987 SUSE bug 711490 SUSE bug 715643 SUSE Linux Enterprise Server 11 SP3 The cupsDoAuthentication function in auth.c in the client in CUPS before 1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a demand for authorization, which allows remote CUPS servers to cause a denial of service (infinite loop) via HTTP_UNAUTHORIZED responses. Low CVE-2010-2432 SUSE bug 601830 SUSE bug 680210 SUSE bug 680212 SUSE bug 700987 SUSE bug 711490 SUSE bug 715643 SUSE Linux Enterprise Server 11 SP3 Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. Important CVE-2010-2497 SUSE bug 619562 SUSE bug 635692 SUSE Linux Enterprise Server 11 SP3 The mipv6 daemon in UMIP 0.4 does not verify that netlink messages originated in the kernel, which allows local users to spoof netlink socket communication via a crafted unicast message. Moderate CVE-2010-2522 SUSE bug 424311 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in ha.c in the mipv6 daemon in UMIP 0.4 allow remote attackers to have an unspecified impact via a crafted (1) ND_OPT_PREFIX_INFORMATION or (2) ND_OPT_HOME_AGENT_INFO packet. Moderate CVE-2010-2523 SUSE bug 424311 SUSE Linux Enterprise Server 11 SP3 The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands. Important CVE-2010-2526 SUSE bug 622537 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature. Moderate CVE-2010-2547 SUSE bug 625947 SUSE Linux Enterprise Server 11 SP3 Array index error in the PK font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. Moderate CVE-2010-2640 SUSE bug 660555 SUSE Linux Enterprise Server 11 SP3 Array index error in the VF font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. Moderate CVE-2010-2641 SUSE bug 660555 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. Moderate CVE-2010-2642 SUSE bug 660555 SUSE bug 661018 SUSE bug 662411 SUSE bug 664484 SUSE bug 790421 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the TFM font parser in the dvi-backend component in Evince 2.32 and earlier allows remote attackers to execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. Moderate CVE-2010-2643 SUSE bug 660555 SUSE Linux Enterprise Server 11 SP3 The vte_sequence_handler_window_manipulation function in vteseq.c in libvte (aka libvte9) in VTE 0.25.1 and earlier, as used in gnome-terminal, does not properly handle escape sequences, which allows remote attackers to execute arbitrary commands or obtain potentially sensitive information via a (1) window title or (2) icon title sequence. NOTE: this issue exists because of a CVE-2003-0070 regression. Important CVE-2010-2713 SUSE bug 621097 SUSE Linux Enterprise Server 11 SP3 The nsDocShell::OnRedirectStateChange function in docshell/base/nsDocShell.cpp in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to spoof the SSL security status of a document via vectors involving multiple requests, a redirect, and the history.back and history.forward JavaScript functions. Moderate CVE-2010-2751 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 Integer overflow in an array class in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 allows remote attackers to execute arbitrary code by placing many Cascading Style Sheets (CSS) values in an array, related to references to external font resources and an inconsistency between 16-bit and 32-bit integers. Important CVE-2010-2752 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 Integer overflow in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 allows remote attackers to execute arbitrary code via a large selection attribute in a XUL tree element, which triggers a use-after-free. Important CVE-2010-2753 SUSE bug 622506 SUSE bug 637303 SUSE Linux Enterprise Server 11 SP3 dom/base/nsJSEnvironment.cpp in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 does not properly suppress a script's URL in certain circumstances involving a redirect and an error message, which allows remote attackers to obtain sensitive information about script parameters via a crafted HTML document, related to the window.onerror handler. Moderate CVE-2010-2754 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 layout/generic/nsObjectFrame.cpp in Mozilla Firefox 3.6.7 does not properly free memory in the parameter array of a plugin instance, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted HTML document, related to the DATA and SRC attributes of an OBJECT element. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-1214. Important CVE-2010-2755 SUSE bug 622506 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsTreeSelection function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 might allow remote attackers to execute arbitrary code via vectors involving a XUL tree selection, related to a "dangling pointer vulnerability." NOTE: this issue exists because of an incomplete fix for CVE-2010-2753. Moderate CVE-2010-2760 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172. Moderate CVE-2010-2761 SUSE bug 657343 SUSE bug 657731 SUSE bug 663396 SUSE bug 669245 SUSE bug 670476 SUSE Linux Enterprise Server 11 SP3 The XPCSafeJSObjectWrapper class in the SafeJSObjectWrapper (aka SJOW) implementation in Mozilla Firefox 3.6.x before 3.6.9 and Thunderbird 3.1.x before 3.1.3 does not properly restrict objects at the end of scope chains, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via vectors related to a chrome privileged object and a chain ending in an outer object. Important CVE-2010-2762 SUSE bug 637303 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict read access to the statusText property of XMLHttpRequest objects, which allows remote attackers to discover the existence of intranet web servers via cross-origin requests. Moderate CVE-2010-2764 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the FRAMESET element implementation in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 might allow remote attackers to execute arbitrary code via a large number of values in the cols (aka columns) attribute, leading to a heap-based buffer overflow. Moderate CVE-2010-2765 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 The normalizeDocument function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle the removal of DOM nodes during normalization, which might allow remote attackers to execute arbitrary code via vectors involving access to a deleted object. Moderate CVE-2010-2766 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 The navigator.plugins implementation in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle destruction of the DOM plugin array, which might allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via crafted access to the navigator object, related to a "dangling pointer vulnerability." Moderate CVE-2010-2767 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a document's charset, which allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms via UTF-7 encoding. Moderate CVE-2010-2768 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 allows user-assisted remote attackers to inject arbitrary web script or HTML via a selection that is added to a document in which the designMode property is enabled. Moderate CVE-2010-2769 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. Important CVE-2010-2798 SUSE bug 627386 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the nestlex function in nestlex.c in Socat 1.5.0.0 through 1.7.1.2 and 2.0.0-b1 through 2.0.0-b3, when bidirectional data relay is enabled, allows context-dependent attackers to execute arbitrary code via long command-line arguments. Moderate CVE-2010-2799 SUSE bug 627475 SUSE Linux Enterprise Server 11 SP3 The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. Important CVE-2010-2803 SUSE bug 628604 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. Moderate CVE-2010-2805 SUSE bug 629447 SUSE bug 635692 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue. Moderate CVE-2010-2939 SUSE bug 489641 SUSE bug 629905 SUSE Linux Enterprise Server 11 SP3 ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with invalid string data types, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted IPP request. Moderate CVE-2010-2941 SUSE bug 649256 SUSE bug 654627 SUSE Linux Enterprise Server 11 SP3 The actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc2 does not properly initialize certain structure members when performing dump operations, which allows local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump function in net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in net/sched/act_skbedit.c. Moderate CVE-2010-2942 SUSE bug 632309 SUSE bug 642324 SUSE Linux Enterprise Server 11 SP3 The xfs implementation in the Linux kernel before 2.6.35 does not look up inode allocation btrees before reading inode buffers, which allows remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle. Moderate CVE-2010-2943 SUSE bug 632317 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an "os2." substring at the beginning of a name. Moderate CVE-2010-2946 SUSE bug 633585 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the bgp_route_refresh_receive function in bgp_packet.c in bgpd in Quagga before 0.99.17 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a malformed Outbound Route Filtering (ORF) record in a BGP ROUTE-REFRESH (RR) message. Moderate CVE-2010-2948 SUSE bug 634300 SUSE bug 654270 SUSE bug 685558 SUSE Linux Enterprise Server 11 SP3 bgpd in Quagga before 0.99.17 does not properly parse AS paths, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unknown AS type in an AS path attribute in a BGP UPDATE message. Moderate CVE-2010-2949 SUSE bug 634300 SUSE bug 654270 SUSE bug 685558 SUSE Linux Enterprise Server 11 SP3 Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2094. Important CVE-2010-2950 SUSE bug 633934 SUSE Linux Enterprise Server 11 SP3 The irda_bind function in net/irda/af_irda.c in the Linux kernel before 2.6.36-rc3-next-20100901 does not properly handle failure of the irda_open_tsap function, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket. Moderate CVE-2010-2954 SUSE bug 636112 SUSE Linux Enterprise Server 11 SP3 The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size. Moderate CVE-2010-2955 SUSE bug 635413 SUSE Linux Enterprise Server 11 SP3 Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. Important CVE-2010-2959 SUSE bug 633581 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel 2.6.35.4 and earlier expects that a certain parent session keyring exists, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function. Important CVE-2010-2960 SUSE bug 634637 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via crafted use of the ioctl interface, related to (1) pwrite and (2) pread operations. Important CVE-2010-2962 SUSE bug 642009 SUSE bug 653148 SUSE bug 653588 SUSE Linux Enterprise Server 11 SP3 drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device. Important CVE-2010-2963 SUSE bug 646045 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 packet-gsm_a_rr.c in the GSM A RR dissector in Wireshark 1.2.2 through 1.2.9 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference. Moderate CVE-2010-2992 SUSE bug 630599 SUSE Linux Enterprise Server 11 SP3 The IPMI dissector in Wireshark 1.2.0 through 1.2.9 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. Moderate CVE-2010-2993 SUSE bug 630599 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the ASN.1 BER dissector in Wireshark 0.10.13 through 1.0.14 and 1.2.0 through 1.2.9 has unknown impact and remote attack vectors. NOTE: this issue exists because of a CVE-2010-2284 regression. Critical CVE-2010-2994 SUSE bug 630599 SUSE Linux Enterprise Server 11 SP3 The SigComp Universal Decompressor Virtual Machine (UDVM) in Wireshark 0.10.8 through 1.0.14 and 1.2.0 through 1.2.9 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to sigcomp-udvm.c and an off-by-one error, which triggers a buffer overflow, different vulnerabilities than CVE-2010-2287. Critical CVE-2010-2995 SUSE bug 630599 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation. Moderate CVE-2010-3015 SUSE bug 631801 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string. Moderate CVE-2010-3053 SUSE bug 633938 SUSE bug 635692 SUSE bug 645982 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c. Moderate CVE-2010-3054 SUSE bug 633943 SUSE bug 635692 SUSE bug 645982 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions in Samba before 3.5.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Windows Security ID (SID) on a file share. Important CVE-2010-3069 SUSE bug 637218 SUSE Linux Enterprise Server 11 SP3 The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an ioctl call. Moderate CVE-2010-3078 SUSE bug 637436 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs is enabled, does not properly handle interaction between mutex possession and llseek operations, which allows local users to cause a denial of service (NULL pointer dereference and outage of all function tracing files) via an lseek call on a file descriptor associated with the set_ftrace_filter file. Moderate CVE-2010-3079 SUSE bug 637502 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device. Moderate CVE-2010-3080 SUSE bug 638277 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a "stack pointer underflow" issue, as exploited in the wild in September 2010. Important CVE-2010-3081 SUSE bug 639709 SUSE bug 641575 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the niu_get_ethtool_tcam_all function in drivers/net/niu.c in the Linux kernel before 2.6.36-rc4 allows local users to cause a denial of service or possibly have unspecified other impact via the ETHTOOL_GRXCLSRLALL ethtool command. Important CVE-2010-3084 SUSE bug 638274 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving (1) the list information field or (2) the list description field. Moderate CVE-2010-3089 SUSE bug 637295 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-3089. Reason: This issue was MERGED into CVE-2010-3089 in accordance with CVE content decisions, because it is the same type of vulnerability and affects the same versions. Notes: All CVE users should reference CVE-2010-3089 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2010-3090 SUSE bug 637295 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the nsTextFrameUtils::TransformText function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 might allow remote attackers to execute arbitrary code via a bidirectional text run. Moderate CVE-2010-3166 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 The nsTreeContentView function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle node removal in XUL trees, which allows remote attackers to execute arbitrary code via vectors involving access to deleted memory, related to a "dangling pointer vulnerability." Moderate CVE-2010-3167 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict the role of property changes in triggering XUL tree removal, which allows remote attackers to cause a denial of service (deleted memory access and application crash) or possibly execute arbitrary code by setting unspecified properties. Moderate CVE-2010-3168 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2010-3169 SUSE bug 637303 SUSE bug 638109 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 recognize a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. Moderate CVE-2010-3170 SUSE bug 637290 SUSE bug 645315 SUSE bug 652858 SUSE bug 868629 SUSE Linux Enterprise Server 11 SP3 The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly set the minimum key length for Diffie-Hellman Ephemeral (DHE) mode, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. Moderate CVE-2010-3173 SUSE bug 645315 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.14, Thunderbird before 3.0.9, and SeaMonkey before 2.0.9 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2010-3174 SUSE bug 645315 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.6.x before 3.6.11 and Thunderbird 3.1.x before 3.1.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2010-3175 SUSE bug 645315 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2010-3176 SUSE bug 645315 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in the Gopher parser in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, and SeaMonkey before 2.0.9, allow remote attackers to inject arbitrary web script or HTML via a crafted name of a (1) file or (2) directory on a Gopher server. Moderate CVE-2010-3177 SUSE bug 645315 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 do not properly handle certain modal calls made by javascript: URLs in circumstances related to opening a new window and performing cross-domain navigation, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document. Moderate CVE-2010-3178 SUSE bug 645315 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the text-rendering functionality in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a long argument to the document.write method. Important CVE-2010-3179 SUSE bug 645315 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsBarProp function in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to execute arbitrary code by accessing the locationbar property of a closed window. Important CVE-2010-3180 SUSE bug 645315 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 A certain application-launch script in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 on Linux places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. Moderate CVE-2010-3182 SUSE bug 642502 SUSE bug 645315 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 The LookupGetterOrSetter function in js3250.dll in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly support window.__lookupGetter__ function calls that lack arguments, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via vectors involving a "dangling pointer" and the JS_ValueToId function. Important CVE-2010-3183 SUSE bug 645315 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call. Moderate CVE-2010-3296 SUSE bug 639481 SUSE bug 649187 SUSE Linux Enterprise Server 11 SP3 The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call. Moderate CVE-2010-3297 SUSE bug 639482 SUSE bug 649187 SUSE Linux Enterprise Server 11 SP3 The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. Moderate CVE-2010-3298 SUSE bug 639483 SUSE bug 649187 SUSE Linux Enterprise Server 11 SP3 The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. Important CVE-2010-3301 SUSE bug 639708 SUSE Linux Enterprise Server 11 SP3 Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel before 2.6.36-rc5-next-20100923 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions. Important CVE-2010-3310 SUSE bug 640721 SUSE Linux Enterprise Server 11 SP3 Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797. Moderate CVE-2010-3311 SUSE bug 635692 SUSE bug 641580 SUSE bug 645982 SUSE Linux Enterprise Server 11 SP3 Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability." Moderate CVE-2010-3332 SUSE bug 648080 SUSE bug 648086 SUSE bug 702774 SUSE Linux Enterprise Server 11 SP3 The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447. Moderate CVE-2010-3433 SUSE bug 643771 SUSE bug 648140 SUSE Linux Enterprise Server 11 SP3 fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename. Moderate CVE-2010-3436 SUSE bug 642733 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call. Moderate CVE-2010-3437 SUSE bug 642486 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Stack consumption vulnerability in the dissect_ber_unknown function in epan/dissectors/packet-ber.c in the BER dissector in Wireshark 1.4.x before 1.4.1 and 1.2.x before 1.2.12 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a long string in an unknown ASN.1/BER encoded packet, as demonstrated using SNMP. Moderate CVE-2010-3445 SUSE bug 643078 SUSE Linux Enterprise Server 11 SP3 Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492. Moderate CVE-2010-3493 SUSE bug 638233 SUSE bug 666027 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy. Important CVE-2010-3541 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Naming and Directory Interface (JNDI) component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to determine internal IP addresses or "otherwise-protected internal network names." Important CVE-2010-3548 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is an HTTP request splitting vulnerability involving the handling of the chunked transfer encoding method by the HttpURLConnection class. Important CVE-2010-3549 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Web Start component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Important CVE-2010-3550 SUSE bug 646073 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors. Important CVE-2010-3551 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to unsafe reflection involving the UIDefault.ProxyLazyValue class. Important CVE-2010-3553 SUSE bug 646073 SUSE bug 646906 SUSE bug 659926 SUSE bug 663679 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Deployment component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that the ActiveX Plugin does not properly initialize an object field that is used as a window handle, which allows attackers to execute arbitrary code. Important CVE-2010-3555 SUSE bug 646073 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Important CVE-2010-3556 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to the modification of "behavior and state of certain JDK classes" and "mutable static." Important CVE-2010-3557 SUSE bug 646073 SUSE bug 646906 SUSE bug 659926 SUSE bug 663679 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Web Start component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Important CVE-2010-3558 SUSE bug 646073 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this involves an incorrect sign extension in the HeadspaceSoundbank.nGetName function, which allows attackers to execute arbitrary code via a crafted BANK record that leads to a buffer overflow. Important CVE-2010-3559 SUSE bug 646073 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality via unknown vectors. Important CVE-2010-3560 SUSE bug 646073 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a double free vulnerability in IndexColorModel that allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. Important CVE-2010-3562 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Deployment component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to "how Web Start retrieves security policies," BasicServiceImpl, and forged policies that bypass sandbox restrictions. Important CVE-2010-3563 SUSE bug 646073 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that triggers memory corruption via large values in a subsample of a JPEG image, related to JPEGImageWriter.writeImage in the imageio API. Important CVE-2010-3565 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that leads to a buffer overflow via a crafted devs (device information) tag structure in a color profile. Important CVE-2010-3566 SUSE bug 646073 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to a calculation error in right-to-left text character counts for the ICU OpenType font rendering implementation, which triggers an out-of-bounds memory access. Important CVE-2010-3567 SUSE bug 646073 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a race condition related to deserialization. Important CVE-2010-3568 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to execute arbitrary code by causing the defaultReadObject method in the Serialization API to set a volatile field multiple times. Important CVE-2010-3569 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow in the color profile parser that allows remote attackers to execute arbitrary code via a crafted Tag structure in a color profile. Important CVE-2010-3571 SUSE bug 646073 SUSE bug 646906 SUSE bug 659926 SUSE bug 663679 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Important CVE-2010-3572 SUSE bug 646073 SUSE bug 646906 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy. Important CVE-2010-3573 SUSE bug 646073 SUSE bug 648950 SUSE bug 659926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that HttpURLConnection does not properly check for the allowHttpTrace permission, which allows untrusted code to perform HTTP TRACE requests. Moderate CVE-2010-3574 SUSE bug 646073 SUSE bug 648950 SUSE bug 658525 SUSE bug 659926 SUSE bug 663953 SUSE bug 679560 SUSE Linux Enterprise Server 11 SP3 The extension parser in slp_v2message.c in OpenSLP 1.2.1, and other versions before SVN revision 1647, as used in Service Location Protocol daemon (SLPD) in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, allows remote attackers to cause a denial of service (infinite loop) via a packet with a "next extension offset" that references this extension or a previous extension. NOTE: some of these details are obtained from third party information. Moderate CVE-2010-3609 SUSE bug 642571 SUSE Linux Enterprise Server 11 SP3 The backend driver in Xen 3.x allows guest OS users to cause a denial of service via a kernel thread leak, which prevents the device and guest OS from being shut down or create a zombie domain, causes a hang in zenwatch, or prevents unspecified xm commands from working properly, related to (1) netback, (2) blkback, or (3) blktap. Moderate CVE-2010-3699 SUSE bug 653148 SUSE bug 655964 SUSE Linux Enterprise Server 11 SP3 The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference. Moderate CVE-2010-3702 SUSE bug 642785 SUSE bug 644112 SUSE bug 644114 SUSE bug 644521 SUSE bug 646460 SUSE bug 657780 SUSE Linux Enterprise Server 11 SP3 The PostScriptFunction::PostScriptFunction function in poppler/Function.cc in the PDF parser in poppler 0.8.7 and possibly other versions up to 0.15.1, and possibly other products, allows context-dependent attackers to cause a denial of service (crash) via a PDF file that triggers an uninitialized pointer dereference. Moderate CVE-2010-3703 SUSE bug 642785 SUSE bug 644112 SUSE bug 644521 SUSE bug 657780 SUSE Linux Enterprise Server 11 SP3 The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PDF file with a crafted PostScript Type1 font that contains a negative array index, which bypasses input validation and triggers memory corruption. Moderate CVE-2010-3704 SUSE bug 642785 SUSE bug 644112 SUSE bug 644521 SUSE bug 646460 SUSE Linux Enterprise Server 11 SP3 The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array. Important CVE-2010-3705 SUSE bug 643513 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive. Moderate CVE-2010-3709 SUSE bug 660102 SUSE Linux Enterprise Server 11 SP3 Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string. Moderate CVE-2010-3710 SUSE bug 649210 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack. Moderate CVE-2010-3718 SUSE bug 669897 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware. Important CVE-2010-3765 SUSE bug 649492 SUSE bug 652858 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allows remote attackers to execute arbitrary code via vectors involving a change to an nsDOMAttribute node. Important CVE-2010-3766 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the NewIdArray function in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allows remote attackers to execute arbitrary code via a JavaScript array with many elements. Important CVE-2010-3767 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 do not properly validate downloadable fonts before use within an operating system's font implementation, which allows remote attackers to execute arbitrary code via vectors related to @font-face Cascading Style Sheets (CSS) rules. Important CVE-2010-3768 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 The line-breaking implementation in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 on Windows does not properly handle long strings, which allows remote attackers to execute arbitrary code via a crafted document.write call that triggers a buffer over-read. Critical CVE-2010-3769 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in the rendering engine in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allow remote attackers to inject arbitrary web script or HTML via (1) x-mac-arabic, (2) x-mac-farsi, or (3) x-mac-hebrew characters that may be converted to angle brackets during rendering. Moderate CVE-2010-3770 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle injection of an ISINDEX element into an about:blank page, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via vectors related to redirection to a chrome: URI. Important CVE-2010-3771 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly calculate index values for certain child content in a XUL tree, which allows remote attackers to execute arbitrary code via vectors involving a DIV element within a treechildren element. Important CVE-2010-3772 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0179. Important CVE-2010-3773 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle certain redirections involving data: URLs and Java LiveConnect scripts, which allows remote attackers to start processes, read arbitrary local files, and establish network connections via vectors involving a refresh value in the http-equiv attribute of a META element, which causes the wrong security principal to be used. Important CVE-2010-3775 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2010-3776 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Mozilla Firefox 3.6.x before 3.6.13 and Thunderbird 3.1.x before 3.1.7 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2010-3777 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Mozilla Firefox 3.5.x before 3.5.16, Thunderbird before 3.0.11, and SeaMonkey before 2.0.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2010-3778 SUSE bug 657016 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font. Moderate CVE-2010-3814 SUSE bug 647375 SUSE bug 689174 SUSE Linux Enterprise Server 11 SP3 MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 does not properly propagate type errors, which allows remote attackers to cause a denial of service (server crash) via crafted arguments to extreme-value functions such as (1) LEAST and (2) GREATEST, related to KILL_BAD_DATA and a "CREATE TABLE ... SELECT." Moderate CVE-2010-3833 SUSE bug 644864 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via vectors related to "materializing a derived table that required a temporary table for grouping" and "user variable assignments." Moderate CVE-2010-3834 SUSE bug 644864 SUSE Linux Enterprise Server 11 SP3 MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (mysqld server crash) by performing a user-variable assignment in a logical expression that is calculated and stored in a temporary table for GROUP BY, then causing the expression value to be used after the table is created, which causes the expression to be re-evaluated instead of accessing its value from the table. Moderate CVE-2010-3835 SUSE bug 644864 SUSE bug 694232 SUSE Linux Enterprise Server 11 SP3 MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (assertion failure and server crash) via vectors related to view preparation, pre-evaluation of LIKE predicates, and IN Optimizers. Moderate CVE-2010-3836 SUSE bug 644864 SUSE Linux Enterprise Server 11 SP3 MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a prepared statement that uses GROUP_CONCAT with the WITH ROLLUP modifier, probably triggering a use-after-free error when a copied object is modified in a way that also affects the original object. Moderate CVE-2010-3837 SUSE bug 644864 SUSE Linux Enterprise Server 11 SP3 MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (server crash) via a query that uses the (1) GREATEST or (2) LEAST function with a mixed list of numeric and LONGBLOB arguments, which is not properly handled when the function's result is "processed using an intermediate temporary table." Moderate CVE-2010-3838 SUSE bug 644864 SUSE Linux Enterprise Server 11 SP3 MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service (infinite loop) via multiple invocations of a (1) prepared statement or (2) stored procedure that creates a query with nested JOIN statements. Moderate CVE-2010-3839 SUSE bug 644864 SUSE Linux Enterprise Server 11 SP3 The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL 5.1 before 5.1.51 allows remote authenticated users to cause a denial of service (server crash) by calling the PolyFromWKB function with Well-Known Binary (WKB) data containing a crafted number of (1) line strings or (2) line points. Moderate CVE-2010-3840 SUSE bug 644864 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font. Moderate CVE-2010-3855 SUSE bug 647375 SUSE bug 689174 SUSE Linux Enterprise Server 11 SP3 The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize a certain block of heap memory, which allows local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than CVE-2010-2478. Moderate CVE-2010-3861 SUSE bug 649187 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography. Important CVE-2010-3864 SUSE bug 629905 SUSE bug 651003 SUSE Linux Enterprise Server 11 SP3 The X.25 implementation in the Linux kernel before 2.6.36.2 does not properly parse facilities, which allows remote attackers to cause a denial of service (heap memory corruption and panic) or possibly have unspecified other impact via malformed (1) X25_FAC_CALLING_AE or (2) X25_FAC_CALLED_AE data, related to net/x25/x25_facilities.c and net/x25/x25_in.c, a different vulnerability than CVE-2010-4164. Important CVE-2010-3873 SUSE bug 651219 SUSE bug 653260 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.36.2 on 64-bit platforms might allow local users to cause a denial of service (memory corruption) via a connect operation. Moderate CVE-2010-3874 SUSE bug 651218 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. Important CVE-2010-3875 SUSE bug 650897 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures. Important CVE-2010-3876 SUSE bug 650897 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. Important CVE-2010-3877 SUSE bug 650897 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions. Moderate CVE-2010-3880 SUSE bug 651599 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 arch/x86/kvm/x86.c in the Linux kernel before 2.6.36.2 does not initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via read operations on the /dev/kvm device. Moderate CVE-2010-3881 SUSE bug 651596 SUSE bug 653148 SUSE bug 662663 SUSE bug 706696 SUSE Linux Enterprise Server 11 SP3 The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls. Important CVE-2010-3904 SUSE bug 647392 SUSE bug 676707 SUSE bug 703752 SUSE Linux Enterprise Server 11 SP3 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2010-4014 SUSE bug 660478 SUSE bug 660479 SUSE bug 684292 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the gettoken function in contrib/intarray/_int_bool.c in the intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x before 8.4.7, 8.3.x before 8.3.14, and 8.2.x before 8.2.20 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via integers with a large number of digits to unspecified functions. Moderate CVE-2010-4015 SUSE bug 660478 SUSE bug 684292 SUSE Linux Enterprise Server 11 SP3 The gs_type2_interpret function in Ghostscript allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) via crafted font data in a compressed data stream, aka bug 691043. Moderate CVE-2010-4054 SUSE bug 649207 SUSE bug 939342 SUSE Linux Enterprise Server 11 SP3 The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the "old shm interface." Moderate CVE-2010-4072 SUSE bug 642314 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c. Moderate CVE-2010-4073 SUSE bug 642314 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. Moderate CVE-2010-4075 SUSE bug 642309 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. Moderate CVE-2010-4076 SUSE bug 642309 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. Moderate CVE-2010-4077 SUSE bug 642309 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call. Moderate CVE-2010-4082 SUSE bug 642313 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call. Moderate CVE-2010-4083 SUSE bug 642314 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3 before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. Moderate CVE-2010-4150 SUSE bug 655968 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel before 2.6.36.1 on 64-bit platforms allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large argument in an ioctl call. Moderate CVE-2010-4157 SUSE bug 652940 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter. Moderate CVE-2010-4158 SUSE bug 652563 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Untrusted search path vulnerability in metadata/loader.c in Mono 2.8 and earlier allows local users to gain privileges via a Trojan horse shared library in the current working directory. Important CVE-2010-4159 SUSE bug 648086 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in the (1) pppol2tp_sendmsg function in net/l2tp/l2tp_ppp.c, and the (2) l2tp_ip_sendmsg function in net/l2tp/l2tp_ip.c, in the PPPoL2TP and IPoL2TP implementations in the Linux kernel before 2.6.36.2 allow local users to cause a denial of service (heap memory corruption and panic) or possibly gain privileges via a crafted sendto call. Moderate CVE-2010-4160 SUSE bug 652939 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in fs/bio.c in the Linux kernel before 2.6.36.2 allow local users to cause a denial of service (system crash) via a crafted device ioctl to a SCSI device. Moderate CVE-2010-4162 SUSE bug 652945 SUSE bug 653148 SUSE Linux Enterprise Server 11 SP3 The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.36.2 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device. Moderate CVE-2010-4163 SUSE bug 652945 SUSE bug 653148 SUSE bug 662202 SUSE Linux Enterprise Server 11 SP3 Multiple integer underflows in the x25_parse_facilities function in net/x25/x25_facilities.c in the Linux kernel before 2.6.36.2 allow remote attackers to cause a denial of service (system crash) via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data, a different vulnerability than CVE-2010-3873. Important CVE-2010-4164 SUSE bug 653260 SUSE Linux Enterprise Server 11 SP3 The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel before 2.6.37-rc2 does not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer. Moderate CVE-2010-4165 SUSE bug 653148 SUSE bug 653258 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in mm/mprotect.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors involving an mprotect system call. Moderate CVE-2010-4169 SUSE bug 653148 SUSE bug 653930 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications. Important CVE-2010-4172 SUSE bug 655440 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the rds_cmsg_rdma_args function (net/rds/rdma.c) in Linux kernel 2.6.35 allows local users to cause a denial of service (crash) and possibly trigger memory corruption via a crafted Reliable Datagram Sockets (RDS) request, a different vulnerability than CVE-2010-3865. Moderate CVE-2010-4175 SUSE bug 653148 SUSE bug 654581 SUSE Linux Enterprise Server 11 SP3 OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier. Moderate CVE-2010-4180 SUSE bug 657663 SUSE bug 674017 SUSE bug 711693 SUSE bug 724729 SUSE bug 799454 SUSE Linux Enterprise Server 11 SP3 fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an "OOM dodging issue," a related issue to CVE-2010-3858. Moderate CVE-2010-4243 SUSE bug 653148 SUSE bug 655220 SUSE bug 746947 SUSE Linux Enterprise Server 11 SP3 The socket implementation in net/core/sock.c in the Linux kernel before 2.6.34 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service (memory consumption) by sending a large amount of network traffic, as demonstrated by netperf UDP tests. Moderate CVE-2010-4251 SUSE bug 643138 SUSE bug 653148 SUSE bug 655973 SUSE bug 826455 SUSE Linux Enterprise Server 11 SP3 OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol. Important CVE-2010-4252 SUSE bug 657663 SUSE bug 711693 SUSE bug 724729 SUSE Linux Enterprise Server 11 SP3 The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call. Important CVE-2010-4258 SUSE bug 653148 SUSE bug 657350 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the hpmud_get_pml function in io/hpmud/pml.c in Hewlett-Packard Linux Imaging and Printing (HPLIP) 1.6.7, 3.9.8, 3.10.9, and probably other versions allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SNMP response with a large length value. Moderate CVE-2010-4267 SUSE bug 336658 SUSE bug 808355 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the dissect_ldss_transfer function (epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark 1.2.0 through 1.2.12 and 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an LDSS packet with a long digest line that triggers memory corruption. Moderate CVE-2010-4300 SUSE bug 655448 SUSE Linux Enterprise Server 11 SP3 epan/dissectors/packet-zbee-zcl.c in the ZigBee ZCL dissector in Wireshark 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted ZCL packet, related to Discover Attributes. Moderate CVE-2010-4301 SUSE bug 655448 SUSE Linux Enterprise Server 11 SP3 The pam_parse_in_data_v2 function in src/responder/pam/pamsrv_cmd.c in the PAM responder in SSSD 1.5.0, 1.4.x, and 1.3 allows local users to cause a denial of service (infinite loop, crash, and login prevention) via a crafted packet. Moderate CVE-2010-4341 SUSE bug 660481 SUSE Linux Enterprise Server 11 SP3 The aun_incoming function in net/econet/af_econet.c in the Linux kernel before 2.6.37-rc6, when Econet is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP. Important CVE-2010-4342 SUSE bug 653148 SUSE bug 658461 SUSE Linux Enterprise Server 11 SP3 Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows local users to cause a denial of service (daemon crash) via a message containing many nested variants. Moderate CVE-2010-4352 SUSE bug 659934 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol) function in PHP 5.3.3 and earlier allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument. Moderate CVE-2010-4409 SUSE bug 657910 SUSE bug 681195 SUSE Linux Enterprise Server 11 SP3 CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172. Moderate CVE-2010-4410 SUSE bug 657343 SUSE bug 660127 SUSE bug 663396 SUSE bug 670476 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2010-2761. Moderate CVE-2010-4411 SUSE bug 657343 SUSE bug 657731 SUSE bug 663396 SUSE bug 669245 SUSE bug 670476 SUSE Linux Enterprise Server 11 SP3 The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. Important CVE-2010-4476 SUSE bug 663679 SUSE bug 663953 SUSE bug 669926 SUSE bug 670304 SUSE bug 671714 SUSE bug 672449 SUSE bug 673738 SUSE bug 673798 SUSE bug 679560 SUSE bug 683761 SUSE bug 683762 SUSE bug 683763 SUSE bug 690583 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling. Moderate CVE-2010-4494 SUSE bug 1123919 SUSE bug 661471 SUSE Linux Enterprise Server 11 SP3 Integer underflow in the irda_getsockopt function in net/irda/af_irda.c in the Linux kernel before 2.6.37 on platforms other than x86 allows local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call. Low CVE-2010-4529 SUSE bug 653148 SUSE bug 662031 SUSE Linux Enterprise Server 11 SP3 Signedness error in ccid_serial.c in libccid in the USB Chip/Smart Card Interface Devices (CCID) driver, as used in pcscd in PCSC-Lite 1.5.3 and possibly other products, allows physically proximate attackers to execute arbitrary code via a smart card with a crafted serial number that causes a negative value to be used in a memcpy operation, which triggers a buffer overflow. NOTE: some sources refer to this issue as an integer overflow. Moderate CVE-2010-4530 SUSE bug 661000 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the ATRDecodeAtr function in the Answer-to-Reset (ATR) Handler (atrhandler.c) for pcscd in PCSC-Lite 1.5.3, and possibly other 1.5.x and 1.6.x versions, allows physically proximate attackers to cause a denial of service (crash) and possibly execute arbitrary code via a smart card with an ATR message containing a long attribute value. Moderate CVE-2010-4531 SUSE bug 661000 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression. Moderate CVE-2010-4538 SUSE bug 662029 SUSE Linux Enterprise Server 11 SP3 strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handled in x87 FPU registers, as demonstrated using 2.2250738585072011e-308. Moderate CVE-2010-4645 SUSE bug 662932 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member. Moderate CVE-2010-4649 SUSE bug 662953 SUSE bug 690537 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Directory traversal vulnerability in util.c in GNU patch 2.6.1 and earlier allows user-assisted remote attackers to create or overwrite arbitrary files via a filename that is specified with a .. (dot dot) or full pathname, a related issue to CVE-2010-1679. Moderate CVE-2010-4651 SUSE bug 1093615 SUSE bug 1101128 SUSE bug 662957 SUSE Linux Enterprise Server 11 SP3 The iowarrior_write function in drivers/usb/misc/iowarrior.c in the Linux kernel before 2.6.37 does not properly allocate memory, which might allow local users to trigger a heap-based buffer overflow, and consequently cause a denial of service or gain privileges, via a long report. Moderate CVE-2010-4656 SUSE bug 653148 SUSE bug 666842 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ReadDirectory function in tiffdump.c in tiffdump in LibTIFF before 3.9.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF file containing a directory data structure with many directory entries. Moderate CVE-2010-4665 SUSE bug 687442 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.37-rc7 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163. Moderate CVE-2010-4668 SUSE bug 652945 SUSE bug 653148 SUSE bug 662202 SUSE Linux Enterprise Server 11 SP3 The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash. Moderate CVE-2010-4777 SUSE Linux Enterprise Server 11 SP3 The GLX extension in X.Org xserver 1.7.7 allows remote authenticated users to cause a denial of service (server crash) and possibly execute arbitrary code via (1) a crafted request that triggers a client swap in glx/glxcmdsswap.c; or (2) a crafted length or (3) a negative value in the screen field in a request to glx/glxcmds.c. Moderate CVE-2010-4818 SUSE bug 648287 SUSE Linux Enterprise Server 11 SP3 The ProcRenderAddGlyphs function in the Render extension (render/render.c) in X.Org xserver 1.7.7 and earlier allows local users to read arbitrary memory and possibly cause a denial of service (server crash) via unspecified vectors related to an "input sanitization flaw." Moderate CVE-2010-4819 SUSE bug 648290 SUSE Linux Enterprise Server 11 SP3 The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. Moderate CVE-2010-5107 SUSE bug 1074631 SUSE bug 802639 SUSE bug 841638 SUSE bug 858359 SUSE bug 880259 SUSE bug 881234 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file. Moderate CVE-2010-5110 SUSE bug 845765 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in the iscsi_rx_handler function (usr/iscsi/iscsid.c) in the tgt daemon (tgtd) in Linux SCSI target framework (tgt) before 1.0.14, aka scsi-target-utils, allows remote attackers to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via unknown vectors related to a buffer overflow during iscsi login. NOTE: some of these details are obtained from third party information. Moderate CVE-2011-0001 SUSE bug 665415 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag. Moderate CVE-2011-0013 SUSE bug 669929 SUSE Linux Enterprise Server 11 SP3 ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." Moderate CVE-2011-0014 SUSE bug 670526 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object. Moderate CVE-2011-0020 SUSE bug 666101 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in wiretap/pcapng.c in Wireshark before 1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted capture file. Moderate CVE-2011-0024 SUSE bug 683335 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, does not properly handle certain recursive eval calls, which makes it easier for remote attackers to force a user to respond positively to a dialog question, as demonstrated by a question about granting privileges. Important CVE-2011-0051 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2011-0053 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the JavaScript engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via vectors involving non-local JavaScript variables, aka an "upvarMap" issue. Important CVE-2011-0054 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the JSON.stringify method in js3250.dll in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via unspecified vectors related to the js_HasOwnProperty function and garbage collection. Important CVE-2011-0055 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the JavaScript engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via vectors involving exception timing and a large number of string values, aka an "atom map" issue. Important CVE-2011-0056 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the Web Workers implementation in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, allows remote attackers to execute arbitrary code via vectors related to a JavaScript Worker and garbage collection. Important CVE-2011-0057 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 Cross-site request forgery (CSRF) vulnerability in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, allows remote attackers to hijack the authentication of arbitrary users for requests that were initiated by a plugin and received a 307 redirect to a page on a different web site. Moderate CVE-2011-0059 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in Mozilla Firefox 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG image. Important CVE-2011-0061 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.6.x before 3.6.14 and Thunderbird 3.1.x before 3.1.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2011-0062 SUSE bug 667155 SUSE bug 679570 SUSE Linux Enterprise Server 11 SP3 The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index. Moderate CVE-2011-0064 SUSE bug 666101 SUSE bug 672502 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mChannel. Important CVE-2011-0065 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mObserverList. Important CVE-2011-0066 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly implement autocompletion for forms, which allows remote attackers to read form history entries via a Java applet that spoofs interaction with the autocomplete controls. Moderate CVE-2011-0067 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19, 3.6.x before 3.6.17, and 4.x before 4.0.1; Thunderbird before 3.1.10; and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0070. Moderate CVE-2011-0069 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19, 3.6.x before 3.6.17, and 4.x before 4.0.1; Thunderbird before 3.1.10; and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0069. Important CVE-2011-0070 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0074, CVE-2011-0075, CVE-2011-0077, and CVE-2011-0078. Important CVE-2011-0072 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly use nsTreeRange data structures, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer." Important CVE-2011-0073 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0075, CVE-2011-0077, and CVE-2011-0078. Important CVE-2011-0074 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0074, CVE-2011-0077, and CVE-2011-0078. Moderate CVE-2011-0075 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0074, CVE-2011-0075, and CVE-2011-0078. Important CVE-2011-0077 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0072, CVE-2011-0074, CVE-2011-0075, and CVE-2011-0077. Moderate CVE-2011-0078 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.19 and 3.6.x before 3.6.17, Thunderbird before 3.1.10, and SeaMonkey before 2.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2011-0080 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.17 and 4.x before 4.0.1, and Thunderbird 3.1.x before 3.1.10, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2011-0081 SUSE bug 689281 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsSVGPathSegList::ReplaceItem function in the implementation of SVG element lists in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a user-supplied callback. Moderate CVE-2011-0083 SUSE bug 701296 SUSE bug 704750 SUSE Linux Enterprise Server 11 SP3 The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox before 3.6.20, and 4.x through 5; Thunderbird 3.x before 3.1.12 and other versions before 6; SeaMonkey 2.x before 2.3; and possibly other products does not properly handle SVG text, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer." Important CVE-2011-0084 SUSE bug 712224 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsXULCommandDispatcher function in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via a crafted XUL document that dequeues the current command updater. Critical CVE-2011-0085 SUSE bug 701296 SUSE bug 701995 SUSE bug 704750 SUSE Linux Enterprise Server 11 SP3 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue." Moderate CVE-2011-0188 SUSE bug 682287 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in LibTIFF 3.9.4 and possibly other versions, as used in ImageIO in Apple iTunes before 10.2 on Windows and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with JPEG encoding. Critical CVE-2011-0191 SUSE bug 672505 SUSE bug 672510 SUSE bug 682053 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in Fax4Decode in LibTIFF 3.9.4 and possibly other versions, as used in ImageIO in Apple iTunes before 10.2 on Windows and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF Internet Fax image file that has been compressed using CCITT Group 4 encoding, related to the EXPAND2D macro in libtiff/tif_fax3.h. NOTE: some of these details are obtained from third party information. Important CVE-2011-0192 SUSE bug 672510 SUSE bug 682053 SUSE bug 682871 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011. Moderate CVE-2011-0226 SUSE bug 704612 SUSE bug 728044 SUSE Linux Enterprise Server 11 SP3 The unparse implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (file descriptor exhaustion and daemon hang) via a principal name that triggers use of a backslash escape sequence, as demonstrated by a \n sequence. Moderate CVE-2011-0281 SUSE bug 663619 SUSE Linux Enterprise Server 11 SP3 The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name. Moderate CVE-2011-0282 SUSE bug 663619 SUSE Linux Enterprise Server 11 SP3 The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack. Moderate CVE-2011-0411 SUSE bug 677792 SUSE bug 686590 SUSE bug 689178 SUSE bug 776967 SUSE Linux Enterprise Server 11 SP3 Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd. Moderate CVE-2011-0419 SUSE bug 693778 SUSE bug 700212 SUSE Linux Enterprise Server 11 SP3 The grapheme_extract function in the Internationalization extension (Intl) for ICU for PHP 5.3.5 allows context-dependent attackers to cause a denial of service (crash) via an invalid size argument, which triggers a NULL pointer dereference. Moderate CVE-2011-0420 SUSE bug 672933 SUSE Linux Enterprise Server 11 SP3 The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation. Moderate CVE-2011-0421 SUSE bug 681193 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, a different vulnerability than CVE-2010-2642. Moderate CVE-2011-0433 SUSE bug 671064 SUSE bug 790421 SUSE Linux Enterprise Server 11 SP3 The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map. Moderate CVE-2011-0460 SUSE Linux Enterprise Server 11 SP3 /etc/init.d/boot.localfs in the aaa_base package before 11.2-43.48.1 in SUSE openSUSE 11.2, and before 11.3-8.7.1 in openSUSE 11.3, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/mtab. Moderate CVE-2011-0461 SUSE bug 665479 SUSE Linux Enterprise Server 11 SP3 xrdb.c in xrdb before 1.0.9 in X.Org X11R7.6 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a (1) DHCP or (2) XDMCP message. Important CVE-2011-0465 SUSE bug 674733 SUSE bug 688931 SUSE Linux Enterprise Server 11 SP3 The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer field, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value. Moderate CVE-2011-0521 SUSE bug 653148 SUSE bug 666836 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request. Moderate CVE-2011-0534 SUSE bug 669930 SUSE Linux Enterprise Server 11 SP3 Wireshark 1.2.0 through 1.2.14, 1.4.0 through 1.4.3, and 1.5.0 frees an uninitialized pointer during processing of a .pcap file in the pcap-ng format, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed file. Moderate CVE-2011-0538 SUSE bug 669908 SUSE Linux Enterprise Server 11 SP3 fuse 2.8.5 and earlier does not properly handle when /etc/mtab cannot be updated, which allows local users to unmount arbitrary directories via a symlink attack. Moderate CVE-2011-0541 SUSE bug 668820 SUSE bug 685055 SUSE Linux Enterprise Server 11 SP3 The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned. Moderate CVE-2011-0633 SUSE bug 693999 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message. Moderate CVE-2011-0707 SUSE bug 671745 SUSE Linux Enterprise Server 11 SP3 exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read. Moderate CVE-2011-0708 SUSE bug 671710 SUSE Linux Enterprise Server 11 SP3 The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel before 2.6.38-rc4-next-20110216 on the s390 platform allows local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/. Moderate CVE-2011-0710 SUSE bug 653148 SUSE bug 672492 SUSE Linux Enterprise Server 11 SP3 The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call. Moderate CVE-2011-0711 SUSE bug 672505 SUSE bug 672524 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c. Moderate CVE-2011-0712 SUSE bug 672499 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in wiretap/dct3trace.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long record in a Nokia DCT3 trace file. Moderate CVE-2011-0713 SUSE bug 672916 SUSE Linux Enterprise Server 11 SP3 Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 does not perform range checks for file descriptors before use of the FD_SET macro, which allows remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon crash) by opening a large number of files, related to (1) Winbind or (2) smbd. Moderate CVE-2011-0719 SUSE bug 670431 SUSE Linux Enterprise Server 11 SP3 t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf. Moderate CVE-2011-0764 SUSE bug 662411 SUSE bug 684802 SUSE Linux Enterprise Server 11 SP3 dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script. Important CVE-2011-0997 SUSE bug 675052 SUSE bug 689182 SUSE bug 708527 SUSE bug 715172 SUSE Linux Enterprise Server 11 SP3 The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack. Moderate CVE-2011-1004 SUSE bug 673740 SUSE Linux Enterprise Server 11 SP3 The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. Moderate CVE-2011-1005 SUSE bug 673750 SUSE bug 783511 SUSE bug 783525 SUSE bug 880899 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the parse_cgroup_spec function in tools/tools-common.c in the Control Group Configuration Library (aka libcgroup or libcg) before 0.37.1 allows local users to gain privileges via a crafted controller list on the command line of an application. NOTE: it is not clear whether this issue crosses privilege boundaries. Important CVE-2011-1006 SUSE bug 675506 SUSE Linux Enterprise Server 11 SP3 The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI. Moderate CVE-2011-1015 SUSE bug 674646 SUSE bug 826682 SUSE Linux Enterprise Server 11 SP3 The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. Moderate CVE-2011-1016 SUSE bug 674691 SUSE bug 674693 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel 2.6.37.2 and earlier might allow local users to gain privileges or obtain sensitive information via a crafted LDM partition table. Important CVE-2011-1017 SUSE bug 674648 SUSE bug 698221 SUSE Linux Enterprise Server 11 SP3 logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted username to a Samba server. Important CVE-2011-1018 SUSE bug 674984 SUSE Linux Enterprise Server 11 SP3 The proc filesystem implementation in the Linux kernel 2.6.37 and earlier does not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allows local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls. Moderate CVE-2011-1020 SUSE bug 674982 SUSE Linux Enterprise Server 11 SP3 The cgre_receive_netlink_msg function in daemon/cgrulesengd.c in cgrulesengd in the Control Group Configuration Library (aka libcgroup or libcg) before 0.37.1 does not verify that netlink messages originated in the kernel, which allows local users to bypass intended resource restrictions via a crafted message. Moderate CVE-2011-1022 SUSE bug 675048 SUSE Linux Enterprise Server 11 SP3 The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls. Moderate CVE-2011-1083 SUSE bug 676204 SUSE bug 690537 SUSE Linux Enterprise Server 11 SP3 Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function. Moderate CVE-2011-1092 SUSE bug 677782 SUSE Linux Enterprise Server 11 SP3 rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data. Moderate CVE-2011-1097 SUSE bug 684387 SUSE Linux Enterprise Server 11 SP3 Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place. Moderate CVE-2011-1098 SUSE bug 1007000 SUSE bug 1136195 SUSE bug 677335 SUSE bug 677336 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the dissect_6lowpan_iphc function in packet-6lowpan.c in Wireshark 1.4.0 through 1.4.3 on 32-bit platforms allows remote attackers to cause a denial of service (application crash) via a malformed 6LoWPAN IPv6 packet. Moderate CVE-2011-1138 SUSE bug 678567 SUSE Linux Enterprise Server 11 SP3 wiretap/pcapng.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (application crash) via a pcap-ng file that contains a large packet-length field. Moderate CVE-2011-1139 SUSE bug 678568 SUSE Linux Enterprise Server 11 SP3 Multiple stack consumption vulnerabilities in the dissect_ms_compressed_string and dissect_mscldap_string functions in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3 allow remote attackers to cause a denial of service (infinite recursion) via a crafted (1) SMB or (2) Connection-less LDAP (CLDAP) packet. Moderate CVE-2011-1140 SUSE bug 678569 SUSE Linux Enterprise Server 11 SP3 epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark before 1.4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted .pcap file. Moderate CVE-2011-1143 SUSE bug 678571 SUSE Linux Enterprise Server 11 SP3 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2011-1145 SUSE bug 678796 SUSE bug 764737 SUSE Linux Enterprise Server 11 SP3 libvirt.c in the API in Red Hat libvirt 0.8.8 does not properly restrict operations in a read-only connection, which allows remote attackers to cause a denial of service (host OS crash) or possibly execute arbitrary code via a (1) virNodeDeviceDettach, (2) virNodeDeviceReset, (3) virDomainRevertToSnapshot, (4) virDomainSnapshotDelete, (5) virNodeDeviceReAttach, or (6) virConnectDomainXMLToNative call, a different vulnerability than CVE-2008-5086. Moderate CVE-2011-1146 SUSE bug 678406 SUSE Linux Enterprise Server 11 SP3 Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call. Moderate CVE-2011-1153 SUSE bug 778941 SUSE Linux Enterprise Server 11 SP3 The shred_file function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to execute arbitrary commands via shell metacharacters in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name. Moderate CVE-2011-1154 SUSE bug 677335 SUSE bug 679661 SUSE bug 681984 SUSE Linux Enterprise Server 11 SP3 The writeState function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to cause a denial of service (rotation outage) via a (1) \n (newline) or (2) \ (backslash) character in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name. Moderate CVE-2011-1155 SUSE bug 677335 SUSE bug 679662 SUSE Linux Enterprise Server 11 SP3 The tpm_open function in drivers/char/tpm/tpm.c in the Linux kernel before 2.6.39 does not initialize a certain buffer, which allows local users to obtain potentially sensitive information from kernel memory via unspecified vectors. Moderate CVE-2011-1160 SUSE bug 680040 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value. Moderate CVE-2011-1167 SUSE bug 683337 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError function in khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1 allows remote attackers to inject arbitrary web script or HTML via the URI in a URL corresponding to an unavailable web site. Moderate CVE-2011-1168 SUSE bug 686652 SUSE bug 686814 SUSE Linux Enterprise Server 11 SP3 Multiple stack-based buffer overflows in the iriap_getvaluebyclass_indication function in net/irda/iriap.c in the Linux kernel before 2.6.39 allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging connectivity to an IrDA infrared network and sending a large integer value for a (1) name length or (2) attribute length. Important CVE-2011-1180 SUSE bug 681497 SUSE Linux Enterprise Server 11 SP3 kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call. Moderate CVE-2011-1182 SUSE bug 681826 SUSE bug 690537 SUSE Linux Enterprise Server 11 SP3 The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. Moderate CVE-2011-1184 SUSE bug 735343 SUSE bug 741530 SUSE bug 791423 SUSE Linux Enterprise Server 11 SP3 The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function. Low CVE-2011-1202 SUSE bug 689281 SUSE bug 692619 SUSE Linux Enterprise Server 11 SP3 The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. Moderate CVE-2011-1398 SUSE bug 778003 SUSE bug 829207 SUSE bug 986004 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the SdnToJulian function in the Calendar extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function. Moderate CVE-2011-1466 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 The napi_reuse_skb function in net/core/dev.c in the Generic Receive Offload (GRO) implementation in the Linux kernel before 2.6.38 does not reset the values of certain structure members, which might allow remote attackers to cause a denial of service (NULL pointer dereference) via a malformed VLAN frame. Moderate CVE-2011-1478 SUSE bug 682965 SUSE bug 698450 SUSE Linux Enterprise Server 11 SP3 libvirtd in libvirt before 0.9.0 does not use thread-safe error reporting, which allows remote attackers to cause a denial of service (crash) by causing multiple threads to report errors at the same time. Moderate CVE-2011-1486 SUSE bug 684877 SUSE Linux Enterprise Server 11 SP3 The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string. Low CVE-2011-1487 SUSE bug 684799 SUSE Linux Enterprise Server 11 SP3 The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. Moderate CVE-2011-1521 SUSE bug 682554 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.cgi in Nagios 3.2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the layer parameter. Moderate CVE-2011-1523 SUSE bug 682966 SUSE bug 697895 SUSE Linux Enterprise Server 11 SP3 ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.1 and earlier does not check the krb5_setegid return value, which allows remote authenticated users to bypass intended group access restrictions, and create, overwrite, delete, or read files, via standard FTP commands, related to missing autoconf tests in a configure script. Moderate CVE-2011-1526 SUSE bug 698471 SUSE Linux Enterprise Server 11 SP3 t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than CVE-2011-0764. Moderate CVE-2011-1552 SUSE bug 684802 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory write, a different vulnerability than CVE-2011-0764. Moderate CVE-2011-1553 SUSE bug 684802 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory read, integer overflow, and invalid pointer dereference, a different vulnerability than CVE-2011-0764. Moderate CVE-2011-1554 SUSE bug 684802 SUSE Linux Enterprise Server 11 SP3 net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data. Moderate CVE-2011-1573 SUSE bug 653148 SUSE bug 686813 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the is_gpt_valid function in fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows physically proximate attackers to cause a denial of service (OOPS) or possibly have unspecified other impact via a crafted size of the EFI GUID partition-table header on removable media. Moderate CVE-2011-1577 SUSE bug 687113 SUSE bug 692784 SUSE Linux Enterprise Server 11 SP3 The X.509if dissector in Wireshark 1.2.x before 1.2.16 and 1.4.x before 1.4.5 does not properly initialize certain global variables, which allows remote attackers to cause a denial of service (application crash) via a crafted .pcap file. Moderate CVE-2011-1590 SUSE bug 688109 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file. Moderate CVE-2011-1591 SUSE bug 688109 SUSE Linux Enterprise Server 11 SP3 The NFS dissector in epan/dissectors/packet-nfs.c in Wireshark 1.4.x before 1.4.5 on Windows uses an incorrect integer data type during decoding of SETCLIENTID calls, which allows remote attackers to cause a denial of service (application crash) via a crafted .pcap file. Moderate CVE-2011-1592 SUSE bug 688109 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel before 2.6.38.4 allow local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call. Moderate CVE-2011-1593 SUSE bug 653148 SUSE bug 688432 SUSE bug 690537 SUSE Linux Enterprise Server 11 SP3 smbfs in Samba 3.5.8 and earlier attempts to use (1) mount.cifs to append to the /etc/mtab file and (2) umount.cifs to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089. Moderate CVE-2011-1678 SUSE bug 686552 SUSE Linux Enterprise Server 11 SP3 The krb5_save_ccname_done function in providers/krb5/krb5_auth.c in System Security Services Daemon (SSSD) 1.5.x before 1.5.7, when automatic ticket renewal and offline authentication are configured, uses a pathname string as a password, which allows local users to bypass Kerberos authentication by listing the /tmp directory to obtain the pathname. Moderate CVE-2011-1758 SUSE bug 691135 SUSE Linux Enterprise Server 11 SP3 utils/mount.ecryptfs_private.c in ecryptfs-utils before 90 does not properly check mountpoint permissions, which allows local users to effectively replace any directory with a new filesystem, and consequently gain privileges, via a mount system call. Important CVE-2011-1831 SUSE bug 709771 SUSE bug 711539 SUSE Linux Enterprise Server 11 SP3 utils/mount.ecryptfs_private.c in ecryptfs-utils before 90 does not properly check mountpoint permissions, which allows local users to remove directories via a umount system call. Important CVE-2011-1832 SUSE bug 709771 SUSE bug 711539 SUSE Linux Enterprise Server 11 SP3 Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private mount with a mismatched uid. Moderate CVE-2011-1833 SUSE bug 709771 SUSE bug 711539 SUSE Linux Enterprise Server 11 SP3 utils/mount.ecryptfs_private.c in ecryptfs-utils before 90 does not properly maintain the mtab file during error conditions, which allows local users to cause a denial of service (table corruption) or bypass intended unmounting restrictions via a umount system call. Important CVE-2011-1834 SUSE bug 709771 SUSE bug 711539 SUSE Linux Enterprise Server 11 SP3 Xen 4.1 before 4.1.1 and 4.0 before 4.0.2, when using PCI passthrough on Intel VT-d chipsets that do not have interrupt remapping, allows guest OS users to gain host OS privileges by "using DMA to generate MSI interrupts by writing to the interrupt injection registers." Important CVE-2011-1898 SUSE bug 702025 SUSE bug 724906 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x before 9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before 9.6-ESV-R4-P1 allows remote DNS servers to cause a denial of service (assertion failure and daemon exit) via a negative response containing large RRSIG RRsets. Important CVE-2011-1910 SUSE bug 696585 SUSE bug 698286 SUSE Linux Enterprise Server 11 SP3 The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419. Low CVE-2011-1928 SUSE bug 693778 SUSE Linux Enterprise Server 11 SP3 Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions. Moderate CVE-2011-1944 SUSE bug 1123919 SUSE bug 697372 SUSE Linux Enterprise Server 11 SP3 gnomesu-pam-backend in libgnomesu 1.0.0 prints an error message but proceeds with the non-error code path upon failure of the setgid or setuid function, which allows local users to gain privileges by leveraging access to two unprivileged user accounts, and running many processes under one of these accounts. Important CVE-2011-1946 SUSE bug 695627 SUSE Linux Enterprise Server 11 SP3 fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. Moderate CVE-2011-1947 SUSE bug 697368 SUSE Linux Enterprise Server 11 SP3 The dissect_dcm_main function in epan/dissectors/packet-dcm.c in the DICOM dissector in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (infinite loop) via an invalid PDU length. Moderate CVE-2011-1957 SUSE bug 697516 SUSE Linux Enterprise Server 11 SP3 Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Diameter dictionary file. Moderate CVE-2011-1958 SUSE bug 697516 SUSE Linux Enterprise Server 11 SP3 The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers, which allows remote attackers to cause a denial of service (application crash) via a large length value in a snoop file that triggers a stack-based buffer over-read. Moderate CVE-2011-1959 SUSE bug 697516 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Microsoft Excel 2003 SP3 allows remote attackers to execute arbitrary code via a crafted spreadsheet, aka "Excel Use after Free WriteAV Vulnerability." Critical CVE-2011-1986 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in the tvb_uncompress function in epan/tvbuff.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a packet with malformed data that uses zlib compression. Moderate CVE-2011-2174 SUSE bug 697516 SUSE Linux Enterprise Server 11 SP3 Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a malformed Visual Networks file that triggers a heap-based buffer over-read. Moderate CVE-2011-2175 SUSE bug 697516 SUSE Linux Enterprise Server 11 SP3 The ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel before 2.6.39.1 does not properly handle memory allocation for non-initial fragments, which might allow local users to conduct buffer overflow attacks, and gain privileges or obtain sensitive information, via a crafted LDM partition table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1017. Important CVE-2011-2182 SUSE bug 674648 SUSE bug 698221 SUSE Linux Enterprise Server 11 SP3 Race condition in the scan_get_next_rmap_item function in mm/ksm.c in the Linux kernel before 2.6.39.3, when Kernel SamePage Merging (KSM) is enabled, allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted application. Moderate CVE-2011-2183 SUSE bug 697901 SUSE Linux Enterprise Server 11 SP3 The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests. Moderate CVE-2011-2192 SUSE bug 698796 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in tftp-hpa before 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via the utimeout option. Moderate CVE-2011-2199 SUSE bug 699714 SUSE Linux Enterprise Server 11 SP3 The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability." Low CVE-2011-2202 SUSE bug 699711 SUSE Linux Enterprise Server 11 SP3 The hfs_find_init function in the Linux kernel 2.6 allows local users to cause a denial of service (NULL pointer dereference and Oops) by mounting an HFS file system with a malformed MDB extent record. Moderate CVE-2011-2203 SUSE bug 699709 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. Moderate CVE-2011-2204 SUSE bug 702289 SUSE bug 706404 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 do not distinguish between cookies for two domain names that differ only in a trailing dot, which allows remote web servers to bypass the Same Origin Policy via Set-Cookie headers. Moderate CVE-2011-2362 SUSE bug 701296 SUSE bug 704750 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsSVGPointList::AppendElement function in the implementation of SVG element lists in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a user-supplied callback. Critical CVE-2011-2363 SUSE bug 701296 SUSE bug 702020 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.18 and Thunderbird before 3.1.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-2365. Important CVE-2011-2364 SUSE bug 701296 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.18 and Thunderbird before 3.1.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-2364. Critical CVE-2011-2365 SUSE bug 701296 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via vectors involving a long JavaScript Array object. Important CVE-2011-2371 SUSE bug 701296 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent the starting of a download in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site. Important CVE-2011-2372 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14, when JavaScript is disabled, allows remote attackers to execute arbitrary code via a crafted XUL document. Important CVE-2011-2373 SUSE bug 701296 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, and Thunderbird before 3.1.11, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2011-2374 SUSE bug 701296 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.18 and Thunderbird before 3.1.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2011-2376 SUSE bug 701296 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a multipart/x-mixed-replace image. Important CVE-2011-2377 SUSE bug 701296 SUSE Linux Enterprise Server 11 SP3 The appendChild function in Mozilla Firefox before 3.6.20, Thunderbird 3.x before 3.1.12, SeaMonkey 2.x, and possibly other products does not properly handle DOM objects, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to dereferencing of a "dangling pointer." Important CVE-2011-2378 SUSE bug 712224 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in ISC BIND 9 9.6.x before 9.6-ESV-R4-P3, 9.7.x before 9.7.3-P3, and 9.8.x before 9.8.0-P4 allows remote attackers to cause a denial of service (named daemon crash) via a crafted UPDATE request. Moderate CVE-2011-2464 SUSE bug 703907 SUSE Linux Enterprise Server 11 SP3 The Linux kernel before 2.6.39 does not properly create transparent huge pages in response to a MAP_PRIVATE mmap system call on /dev/zero, which allows local users to cause a denial of service (system crash) via a crafted application. Moderate CVE-2011-2479 SUSE bug 653148 SUSE bug 701163 SUSE Linux Enterprise Server 11 SP3 crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. Moderate CVE-2011-2483 SUSE bug 700876 SUSE bug 701489 SUSE bug 701491 SUSE bug 713727 SUSE bug 738221 SUSE bug 749299 SUSE bug 749301 SUSE bug 749303 SUSE Linux Enterprise Server 11 SP3 The gdk_pixbuf__gif_image_load function in gdk-pixbuf/io-gif.c in gdk-pixbuf before 2.23.5 does not properly handle certain return values, which allows remote attackers to cause a denial of service (memory consumption) via a crafted GIF image file. Moderate CVE-2011-2485 SUSE bug 702028 SUSE Linux Enterprise Server 11 SP3 Multiple off-by-one errors in opiesu.c in opiesu in OPIE 2.4.1-test1 and earlier might allow local users to gain privileges via a crafted command line. Important CVE-2011-2489 SUSE bug 698772 SUSE Linux Enterprise Server 11 SP3 opielogin.c in opielogin in OPIE 2.4.1-test1 and earlier does not check the return value of the setuid system call, which allows local users to gain privileges by arranging for an account to already be running its maximum number of processes. Important CVE-2011-2490 SUSE bug 698772 SUSE Linux Enterprise Server 11 SP3 The Network Lock Manager (NLM) protocol implementation in the NFS client functionality in the Linux kernel before 3.0 allows local users to cause a denial of service (system hang) via a LOCK_UN flock system call. Moderate CVE-2011-2491 SUSE bug 702013 SUSE Linux Enterprise Server 11 SP3 kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password. Moderate CVE-2011-2494 SUSE bug 653148 SUSE bug 703156 SUSE Linux Enterprise Server 11 SP3 fs/proc/base.c in the Linux kernel before 2.6.39.4 does not properly restrict access to /proc/#####/io files, which allows local users to obtain sensitive I/O statistics by polling a file, as demonstrated by discovering the length of another user's password. Low CVE-2011-2495 SUSE bug 703155 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the vma_to_resize function in mm/mremap.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (BUG_ON and system crash) via a crafted mremap system call that expands a memory mapping. Moderate CVE-2011-2496 SUSE bug 702285 SUSE Linux Enterprise Server 11 SP3 The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources. Moderate CVE-2011-2501 SUSE bug 702578 SUSE Linux Enterprise Server 11 SP3 Integer overflow in libvirt before 0.9.3 allows remote authenticated users to cause a denial of service (libvirtd crash) and possibly execute arbitrary code via a crafted VirDomainGetVcpus RPC call that triggers memory corruption. Moderate CVE-2011-2511 SUSE bug 703084 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers to hijack the authentication of administrators for requests that (1) shut down daemons, (2) start daemons, (3) add shares, (4) remove shares, (5) add printers, (6) remove printers, (7) add user accounts, or (8) remove user accounts, as demonstrated by certain start, stop, and restart parameters to the status program. Moderate CVE-2011-2522 SUSE bug 705241 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in a URI. Moderate CVE-2011-2524 SUSE bug 706630 SUSE bug 709167 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. Moderate CVE-2011-2526 SUSE bug 706382 SUSE Linux Enterprise Server 11 SP3 The Lucent/Ascend file parser in Wireshark 1.2.x before 1.2.18, 1.4.x through 1.4.7, and 1.6.0 allows remote attackers to cause a denial of service (infinite loop) via malformed packets. Moderate CVE-2011-2597 SUSE bug 706728 SUSE Linux Enterprise Server 11 SP3 Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development. Low CVE-2011-2686 SUSE bug 704409 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image. Moderate CVE-2011-2690 SUSE bug 706387 SUSE bug 706388 SUSE bug 854395 SUSE Linux Enterprise Server 11 SP3 The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image. Moderate CVE-2011-2691 SUSE bug 706388 SUSE Linux Enterprise Server 11 SP3 The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory. Moderate CVE-2011-2692 SUSE bug 706389 SUSE bug 854395 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to inject arbitrary web script or HTML via the username parameter to the passwd program (aka the user field to the Change Password page). Moderate CVE-2011-2694 SUSE Linux Enterprise Server 11 SP3 Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow. Moderate CVE-2011-2696 SUSE bug 705681 SUSE Linux Enterprise Server 11 SP3 foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5 allows remote attackers to execute arbitrary code via a crafted *FoomaticRIPCommandLine field in a .ppd file. Moderate CVE-2011-2697 SUSE bug 59233 SUSE bug 698451 SUSE bug 704608 SUSE bug 852368 SUSE bug 957531 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the elem_cell_id_aux function in epan/dissectors/packet-ansi_a.c in the ANSI MAP dissector in Wireshark 1.4.x before 1.4.8 and 1.6.x before 1.6.1 allows remote attackers to cause a denial of service (infinite loop) via an invalid packet. Moderate CVE-2011-2698 SUSE bug 706728 SUSE Linux Enterprise Server 11 SP3 The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID. Moderate CVE-2011-2705 SUSE bug 704409 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the cli_hm_scan function in matcher-hash.c in libclamav in ClamAV before 0.97.2 allows remote attackers to cause a denial of service (daemon crash) via an e-mail message that is not properly handled during certain hash calculations. Moderate CVE-2011-2721 SUSE bug 708263 SUSE Linux Enterprise Server 11 SP3 The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging and Printing (HPLIP) 3.x before 3.11.10 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hpcupsfax.out temporary file. Low CVE-2011-2722 SUSE bug 59233 SUSE bug 698451 SUSE bug 704608 SUSE bug 713717 SUSE bug 808355 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in Ark 4.7.x and earlier allows remote attackers to delete and force the display of arbitrary files via .. (dot dot) sequences in a zip file. Moderate CVE-2011-2725 SUSE bug 708268 SUSE Linux Enterprise Server 11 SP3 The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference. Moderate CVE-2011-2728 SUSE bug 796014 SUSE Linux Enterprise Server 11 SP3 The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted DHCP packet. Moderate CVE-2011-2748 SUSE bug 712653 SUSE Linux Enterprise Server 11 SP3 The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ESV-R3, and 4.1-ESV before 4.1-ESV-R3 allows remote attackers to cause a denial of service (daemon exit) via a crafted BOOTP packet. Important CVE-2011-2749 SUSE bug 712653 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in libxml2, as used in Google Chrome before 13.0.782.215, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted XPath expression. Moderate CVE-2011-2821 SUSE bug 1123919 SUSE bug 732787 SUSE bug 739894 SUSE Linux Enterprise Server 11 SP3 The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896. Moderate CVE-2011-2895 SUSE bug 709851 SUSE bug 711487 SUSE Linux Enterprise Server 11 SP3 The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895. Moderate CVE-2011-2896 SUSE bug 601830 SUSE bug 671735 SUSE bug 680210 SUSE bug 680212 SUSE bug 700987 SUSE bug 711490 SUSE bug 711491 SUSE bug 715643 SUSE Linux Enterprise Server 11 SP3 Untrusted search path vulnerability in the ThinkPadSensor::Startup function in Mozilla Firefox before 3.6.20, Thunderbird 3.x before 3.1.12, allows local users to gain privileges by leveraging write access in an unspecified directory to place a Trojan horse DLL that is loaded into the running Firefox process. Important CVE-2011-2980 SUSE bug 712224 SUSE Linux Enterprise Server 11 SP3 The event-management implementation in Mozilla Firefox before 3.6.20, SeaMonkey 2.x, Thunderbird 3.x before 3.1.12, and possibly other products does not properly select the context for script to run in, which allows remote attackers to bypass the Same Origin Policy or execute arbitrary JavaScript code with chrome privileges via a crafted web site. Important CVE-2011-2981 SUSE bug 712224 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.20, Thunderbird 2.x and 3.x before 3.1.12, SeaMonkey 1.x and 2.x, and possibly other products allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2011-2982 SUSE bug 712224 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.20, Thunderbird 2.x and 3.x before 3.1.12, SeaMonkey 1.x and 2.x, and possibly other products does not properly handle the RegExp.input property, which allows remote attackers to bypass the Same Origin Policy and read data from a different domain via a crafted web site, possibly related to a use-after-free. Important CVE-2011-2983 SUSE bug 712224 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2011-2995 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the plugin API in Mozilla Firefox 3.6.x before 3.6.23 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2011-2996 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2011-2997 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before 6.0, and SeaMonkey before 2.3 do not properly handle "location" as the name of a frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, a different vulnerability than CVE-2010-0170. Important CVE-2011-2999 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting attacks via crafted header values. Important CVE-2011-3000 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent manual add-on installation in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site that triggers an unspecified internal error. Moderate CVE-2011-3001 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla Firefox before 7.0 and SeaMonkey before 2.4, does not validate the return value of a GrowAtomTable function call, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger a memory-allocation error and a resulting buffer overflow. Critical CVE-2011-3002 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 7.0 and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unspecified WebGL test case that triggers a memory-allocation error and a resulting out-of-bounds write operation. Critical CVE-2011-3003 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 The JSSubScriptLoader in Mozilla Firefox 4.x through 6 and SeaMonkey before 2.4 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior. Important CVE-2011-3004 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OGG headers in a .ogg file. Critical CVE-2011-3005 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. Moderate CVE-2011-3009 SUSE bug 704409 SUSE Linux Enterprise Server 11 SP3 Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation. Moderate CVE-2011-3026 SUSE bug 747311 SUSE bug 747327 SUSE bug 747328 SUSE bug 773612 SUSE bug 854395 SUSE Linux Enterprise Server 11 SP3 The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow. Moderate CVE-2011-3048 SUSE bug 754745 SUSE bug 854395 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the OpenType Sanitizer in Google Chrome before 18.0.1025.142 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted OpenType file. Moderate CVE-2011-3062 SUSE bug 754458 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 Google Chrome before 19.0.1084.46 on Linux does not properly mitigate an unspecified flaw in an NVIDIA driver, which has unknown impact and attack vectors. NOTE: see CVE-2012-3105 for the related MFSA 2012-34 issue in Mozilla products. Important CVE-2011-3101 SUSE bug 762481 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084.46 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors. Moderate CVE-2011-3102 SUSE bug 1123919 SUSE bug 762481 SUSE bug 764538 SUSE Linux Enterprise Server 11 SP3 When mount.ecrpytfs_private before version 87-0ubuntu1.2 calls setreuid() it doesn't also set the effective group id. So when it creates the new version, mtab.tmp, it's created with the group id of the user running mount.ecryptfs_private. Critical CVE-2011-3145 SUSE bug 735342 SUSE Linux Enterprise Server 11 SP3 librsvg before 2.34.1 uses the node name to identify the type of node, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference) and possibly execute arbitrary code via a SVG file with a node with the element name starting with "fe," which is misidentified as a RsvgFilterPrimitive. Moderate CVE-2011-3146 SUSE bug 714980 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the _assemble_line function in modules/pam_env/pam_env.c in Linux-PAM (aka pam) before 1.1.5 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long string of white spaces at the beginning of the ~/.pam_environment file. Moderate CVE-2011-3148 SUSE bug 724480 SUSE Linux Enterprise Server 11 SP3 The _expand_arg function in the pam_env module (modules/pam_env/pam_env.c) in Linux-PAM (aka pam) before 1.1.5 does not properly handle when environment variable expansion can overflow, which allows local users to cause a denial of service (CPU consumption). Low CVE-2011-3149 SUSE bug 724480 SUSE Linux Enterprise Server 11 SP3 The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896. Moderate CVE-2011-3170 SUSE bug 601830 SUSE bug 671735 SUSE bug 680210 SUSE bug 680212 SUSE bug 700987 SUSE bug 711490 SUSE bug 715643 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in pure-FTPd 1.0.22 and possibly other versions, when running on SUSE Linux Enterprise Server and possibly other operating systems, when the Netware OES remote server feature is enabled, allows local users to overwrite arbitrary files via unknown vectors. Low CVE-2011-3171 SUSE bug 703035 SUSE bug 716585 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability in pam_modules of SUSE SUSE Linux Enterprise allows attackers to log into accounts that should have been disabled. Affected releases are SUSE SUSE Linux Enterprise: versions prior to 12. Critical CVE-2011-3172 SUSE bug 1149683 SUSE bug 707645 SUSE Linux Enterprise Server 11 SP3 The YaST2 network created files with world readable permissions which could have allowed local users to read sensitive material out of network configuration files, like passwords for wireless networks. Low CVE-2011-3177 SUSE bug 713661 SUSE Linux Enterprise Server 11 SP3 Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. Important CVE-2011-3190 SUSE bug 715991 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the CIFSFindNext function in fs/cifs/cifssmb.c in the Linux kernel before 3.1 allows remote CIFS servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large length value in a response to a read request for a directory. Moderate CVE-2011-3191 SUSE bug 714001 SUSE Linux Enterprise Server 11 SP3 The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. Important CVE-2011-3192 SUSE bug 713966 SUSE bug 714306 SUSE bug 716634 SUSE bug 718106 SUSE bug 722545 SUSE bug 726139 SUSE bug 732051 SUSE bug 983778 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. Moderate CVE-2011-3193 SUSE bug 714984 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message. Moderate CVE-2011-3200 SUSE bug 714658 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression. Moderate CVE-2011-3205 SUSE bug 715171 SUSE Linux Enterprise Server 11 SP3 The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol. Moderate CVE-2011-3210 SUSE bug 716144 SUSE Linux Enterprise Server 11 SP3 YARR, as used in Mozilla Firefox before 7.0, Thunderbird before 7.0, and SeaMonkey before 2.4, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript. Critical CVE-2011-3232 SUSE bug 720264 SUSE Linux Enterprise Server 11 SP3 FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font, a different vulnerability than CVE-2011-0226. Moderate CVE-2011-3256 SUSE bug 728044 SUSE bug 730124 SUSE bug 748083 SUSE Linux Enterprise Server 11 SP3 The proto_tree_add_item function in Wireshark 1.6.0 through 1.6.1 and 1.4.0 through 1.4.8, when the IKEv1 protocol dissector is used, allows user-assisted remote attackers to cause a denial of service (infinite loop) via vectors involving a malformed IKE packet and many items in a tree. Moderate CVE-2011-3266 SUSE bug 718032 SUSE Linux Enterprise Server 11 SP3 ulp/sdp/sdp_proc.c in the ib_sdp module (aka ib_sdp.ko) in the ofa_kernel package in the InfiniBand driver implementation in OpenFabrics Enterprise Distribution (OFED) before 1.5.3 does not properly handle certain non-array variables, which allows local users to cause a denial of service (stack memory corruption and system crash) by reading the /proc/net/sdpstats file. Important CVE-2011-3345 SUSE bug 706175 SUSE Linux Enterprise Server 11 SP3 The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request. Moderate CVE-2011-3348 SUSE bug 719236 SUSE bug 722545 SUSE Linux Enterprise Server 11 SP3 Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory. Moderate CVE-2011-3360 SUSE bug 718032 SUSE Linux Enterprise Server 11 SP3 The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. Moderate CVE-2011-3368 SUSE bug 722545 SUSE bug 728876 SUSE bug 729181 SUSE bug 791794 SUSE Linux Enterprise Server 11 SP3 imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command. Moderate CVE-2011-3372 SUSE bug 719998 SUSE Linux Enterprise Server 11 SP3 The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders. Moderate CVE-2011-3379 SUSE bug 728350 SUSE Linux Enterprise Server 11 SP3 The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. Moderate CVE-2011-3389 SUSE bug 716002 SUSE bug 719047 SUSE bug 725167 SUSE bug 726096 SUSE bug 739248 SUSE bug 739256 SUSE bug 742306 SUSE bug 751718 SUSE bug 759666 SUSE bug 814655 SUSE Linux Enterprise Server 11 SP3 FreeType in CoreGraphics in Apple iOS before 5.0.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font in a document. Moderate CVE-2011-3439 SUSE bug 730124 SUSE bug 748083 SUSE Linux Enterprise Server 11 SP3 Wireshark 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (application crash) via a malformed capture file that leads to an invalid root tvbuff, related to a "buffer exception handling vulnerability." Moderate CVE-2011-3483 SUSE bug 718032 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in device-linux.c in the router advertisement daemon (radvd) before 1.8.2 allows local users to overwrite arbitrary files, and remote attackers to overwrite certain files, via a .. (dot dot) in an interface name. NOTE: this can be leveraged with a symlink to overwrite arbitrary files. Low CVE-2011-3602 SUSE bug 721968 SUSE Linux Enterprise Server 11 SP3 The router advertisement daemon (radvd) before 1.8.2 does not properly handle errors in the privsep_init function, which causes the radvd daemon to run as root and has an unspecified impact. Moderate CVE-2011-3603 SUSE bug 721968 SUSE Linux Enterprise Server 11 SP3 The process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to cause a denial of service (stack-based buffer over-read and crash) via unspecified vectors. Moderate CVE-2011-3604 SUSE bug 721968 SUSE Linux Enterprise Server 11 SP3 The process_rs function in the router advertisement daemon (radvd) before 1.8.2, when UnicastOnly is enabled, allows remote attackers to cause a denial of service (temporary service hang) via a large number of ND_ROUTER_SOLICIT requests. Low CVE-2011-3605 SUSE bug 721968 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. Moderate CVE-2011-3607 SUSE bug 728876 SUSE bug 729181 SUSE bug 729183 SUSE bug 806721 SUSE Linux Enterprise Server 11 SP3 The bytecode engine in ClamAV before 0.97.3 allows remote attackers to cause a denial of service (crash) via vectors related to "recursion level" and (1) libclamav/bytecode.c and (2) libclamav/bytecode_api.c. Moderate CVE-2011-3627 SUSE bug 724856 SUSE bug 809945 SUSE Linux Enterprise Server 11 SP3 The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x before 2.2.18, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers by using the HTTP/0.9 protocol with a malformed URI containing an initial @ (at sign) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. Moderate CVE-2011-3639 SUSE bug 722545 SUSE Linux Enterprise Server 11 SP3 The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004. Important CVE-2011-3647 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding. Moderate CVE-2011-3648 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. Moderate CVE-2011-3650 SUSE Linux Enterprise Server 11 SP3 The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements. Important CVE-2011-3658 SUSE bug 737533 SUSE bug 746591 SUSE bug 747320 SUSE bug 750044 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 might allow remote attackers to execute arbitrary code via vectors related to incorrect AttributeChildRemoved notifications that affect access to removed nsDOMAttribute child nodes. Important CVE-2011-3659 SUSE bug 744275 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger a compartment mismatch associated with the nsDOMMessageEvent::GetData function, and unknown other vectors. Critical CVE-2011-3660 SUSE bug 737533 SUSE Linux Enterprise Server 11 SP3 YARR, as used in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript. Important CVE-2011-3661 SUSE bug 737533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to capture keystrokes entered on a web page, even when JavaScript is disabled, by using SVG animation accessKey events within that web page. Important CVE-2011-3663 SUSE bug 737533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an Ogg VIDEO element that is not properly handled after scaling. Important CVE-2011-3665 SUSE bug 737533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.25 and Thunderbird before 3.1.17 on Mac OS X do not consider .jar files to be executable files, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted file. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-2372 on Mac OS X. Important CVE-2011-3666 SUSE bug 737533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before 3.1.18 and 5.0 through 6.0, and SeaMonkey before 2.4 do not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages. Low CVE-2011-3670 SUSE bug 744275 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations via (1) a double-encoded key parameter in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25. Moderate CVE-2011-3848 SUSE bug 721139 SUSE bug 726372 SUSE Linux Enterprise Server 11 SP3 Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file. Moderate CVE-2011-3869 SUSE bug 726372 SUSE bug 727024 SUSE Linux Enterprise Server 11 SP3 Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file. Moderate CVE-2011-3870 SUSE bug 726372 SUSE bug 727025 SUSE Linux Enterprise Server 11 SP3 Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files. Moderate CVE-2011-3871 SUSE bug 726372 SUSE Linux Enterprise Server 11 SP3 Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability." Moderate CVE-2011-3872 SUSE bug 726372 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in libxml2, as used in Google Chrome before 16.0.912.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. Moderate CVE-2011-3919 SUSE bug 1123919 SUSE bug 739894 SUSE bug 740493 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in Google Chrome before 16.0.912.75 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to glyph handling. Moderate CVE-2011-3922 SUSE bug 739904 SUSE bug 740493 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. Moderate CVE-2011-3970 SUSE bug 746039 SUSE bug 747327 SUSE Linux Enterprise Server 11 SP3 The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to determine the existence of arbitrary files via a symlink attack on a temporary lock file, which is handled differently if the file exists. Moderate CVE-2011-4028 SUSE bug 722944 SUSE Linux Enterprise Server 11 SP3 The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to change the permissions of arbitrary files to 444, read those files, and possibly cause a denial of service (removed execution permission) via a symlink attack on a temporary lock file. Moderate CVE-2011-4029 SUSE bug 722944 SUSE Linux Enterprise Server 11 SP3 The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal. Moderate CVE-2011-4086 SUSE bug 745832 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record. Moderate CVE-2011-4096 SUSE bug 727492 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the oom_badness function in mm/oom_kill.c in the Linux kernel before 3.1.8 on 64-bit platforms allows local users to cause a denial of service (memory consumption or process termination) by using a certain large amount of memory. Moderate CVE-2011-4097 SUSE bug 653148 SUSE bug 727493 SUSE Linux Enterprise Server 11 SP3 The capsh program in libcap before 2.22 does not change the current working directory when the --chroot option is specified, which allows local users to bypass the chroot restrictions via unspecified vectors. Moderate CVE-2011-4099 SUSE bug 727713 SUSE bug 727715 SUSE Linux Enterprise Server 11 SP3 The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. Moderate CVE-2011-4108 SUSE bug 739719 SUSE bug 742821 SUSE bug 758060 SUSE bug 778825 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. Moderate CVE-2011-4109 SUSE bug 739719 SUSE bug 758060 SUSE Linux Enterprise Server 11 SP3 The Linux kernel before 3.2.2 does not properly restrict SG_IO ioctl calls, which allows local users to bypass intended restrictions on disk read and write operations by sending a SCSI command to (1) a partition block device or (2) an LVM volume. Important CVE-2011-4127 SUSE bug 653148 SUSE bug 738400 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket. Moderate CVE-2011-4128 SUSE bug 729486 SUSE Linux Enterprise Server 11 SP3 The NFSv4 implementation in the Linux kernel before 3.2.2 does not properly handle bitmap sizes in GETACL replies, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words. Moderate CVE-2011-4131 SUSE bug 653148 SUSE bug 730117 SUSE bug 762992 SUSE Linux Enterprise Server 11 SP3 PHP 5.3.8 does not always check the return value of the zend_strndup function, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that performs strndup operations on untrusted string data, as demonstrated by the define function in zend_builtin_functions.c, and unspecified functions in ext/soap/php_sdl.c, ext/standard/syslog.c, ext/standard/browscap.c, ext/oci8/oci8.c, ext/com_dotnet/com_typeinfo.c, and main/php_open_temporary_file.c. Moderate CVE-2011-4153 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 Missing escaping of ESSID values in sysconfig of SUSE Linux Enterprise allows attackers controlling an access point to cause execute arbitrary code. Affected releases are sysconfig prior to 0.83.7-2.1. Moderate CVE-2011-4182 SUSE bug 735394 SUSE Linux Enterprise Server 11 SP3 query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0 through 9.8.1, and 9.9.0a1 through 9.9.0b1 allows remote attackers to cause a denial of service (assertion failure and named exit) via unknown vectors related to recursive DNS queries, error logging, and the caching of an invalid record by the resolver. Important CVE-2011-4313 SUSE bug 730995 SUSE bug 738156 SUSE Linux Enterprise Server 11 SP3 The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. Moderate CVE-2011-4317 SUSE bug 722545 SUSE bug 728876 SUSE bug 729181 SUSE bug 791794 SUSE Linux Enterprise Server 11 SP3 crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts. Moderate CVE-2011-4354 SUSE bug 733252 SUSE bug 808942 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2011. Notes: none. Low CVE-2011-4388 SUSE bug 778003 SUSE Linux Enterprise Server 11 SP3 The cupshelpers scripts in system-config-printer in Ubuntu 11.04 and 11.10, as used by the automatic printer driver download service, uses an "insecure connection" for queries to the OpenPrinting database, which allows remote attackers to execute arbitrary code via a man-in-the-middle (MITM) attack that modifies packages or repositories. Moderate CVE-2011-4405 SUSE bug 733542 SUSE bug 735322 SUSE Linux Enterprise Server 11 SP3 dhcpd in ISC DHCP 4.x before 4.2.3-P1 and 4.1-ESV before 4.1-ESV-R4 does not properly handle regular expressions in dhcpd.conf, which allows remote attackers to cause a denial of service (daemon crash) via a crafted request packet. Moderate CVE-2011-4539 SUSE bug 735610 SUSE bug 741239 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708. Moderate CVE-2011-4566 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. Moderate CVE-2011-4576 SUSE bug 739719 SUSE bug 758060 SUSE bug 778825 SUSE Linux Enterprise Server 11 SP3 OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers. Moderate CVE-2011-4577 SUSE bug 739719 SUSE bug 758060 SUSE Linux Enterprise Server 11 SP3 event.c in acpid (aka acpid2) before 2.0.11 does not have an appropriate umask setting during execution of event-handler scripts, which might allow local users to (1) perform write operations within directories created by a script, or (2) read files created by a script, via standard filesystem system calls. Low CVE-2011-4578 SUSE bug 735282 SUSE Linux Enterprise Server 11 SP3 The networkReloadIptablesRules function in network/bridge_driver.c in libvirt before 0.9.9 does not properly handle firewall rules on bridge networks when libvirtd is restarted, which might allow remote attackers to bypass intended access restrictions via a (1) DNS or (2) DHCP query. Low CVE-2011-4600 SUSE bug 736082 SUSE Linux Enterprise Server 11 SP3 The bat_socket_read function in net/batman-adv/icmp_socket.c in the Linux kernel before 3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted batman-adv ICMP packet. Moderate CVE-2011-4604 SUSE bug 736149 SUSE Linux Enterprise Server 11 SP3 The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. Moderate CVE-2011-4619 SUSE bug 739719 SUSE bug 758060 SUSE bug 799454 SUSE Linux Enterprise Server 11 SP3 The create_pit_timer function in arch/x86/kvm/i8254.c in KVM 83, and possibly other versions, does not properly handle when Programmable Interval Timer (PIT) interrupt requests (IRQs) when a virtual interrupt controller (irqchip) is not available, which allows local users to cause a denial of service (NULL pointer dereference) by starting a timer. Moderate CVE-2011-4622 SUSE bug 653148 SUSE bug 738210 SUSE Linux Enterprise Server 11 SP3 Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. Important CVE-2011-4815 SUSE bug 739122 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011. Important CVE-2011-4862 SUSE bug 738632 SUSE Linux Enterprise Server 11 SP3 The logging functionality in dhcpd in ISC DHCP before 4.2.3-P2, when using Dynamic DNS (DDNS) and issuing IPv6 addresses, does not properly handle the DHCPv6 lease structure, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted packets related to a lease-status update. Moderate CVE-2011-4868 SUSE bug 741239 SUSE Linux Enterprise Server 11 SP3 PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Moderate CVE-2011-4885 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. Low CVE-2011-4944 SUSE bug 754447 SUSE Linux Enterprise Server 11 SP3 modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when unix mode is enabled for user authentication, does not properly check the password expiration in /etc/shadow, which allows remote authenticated users to authenticate using an expired password. Moderate CVE-2011-4966 SUSE bug 797313 SUSE Linux Enterprise Server 11 SP3 The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant. Low CVE-2011-5000 SUSE bug 755505 SUSE bug 756370 SUSE bug 826672 SUSE bug 881234 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3 The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. Moderate CVE-2011-5062 SUSE bug 735343 SUSE bug 741533 SUSE Linux Enterprise Server 11 SP3 The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. Moderate CVE-2011-5063 SUSE bug 735343 SUSE bug 741530 SUSE Linux Enterprise Server 11 SP3 DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. Moderate CVE-2011-5064 SUSE bug 735343 SUSE bug 741531 SUSE Linux Enterprise Server 11 SP3 The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-1923. Moderate CVE-2011-5095 SUSE bug 768097 SUSE bug 773908 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) in Intel Q67 Express, C202, C204, C206 Chipsets, and Mobile Intel QM67, and QS67 Chipset before 2nd_gen_i5_i7_SINIT_51.BIN Express; Intel Q57, 3450 Chipsets and Mobile Intel QM57 and QS57 Express Chipset before i5_i7_DUAL_SINIT_51.BIN and i7_QUAD_SINIT_51.BIN; Mobile Intel GM45, GS45, and PM45 Express Chipset before GM45_GS45_PM45_SINIT_51.BIN; Intel Q35 Express Chipsets before Q35_SINIT_51.BIN; and Intel 5520, 5500, X58, and 7500 Chipsets before SINIT ACM 1.1 allows local users to bypass the Trusted Execution Technology protection mechanism and perform other unspecified SINIT ACM functions via unspecified vectors. Important CVE-2011-5174 SUSE bug 1069754 SUSE bug 736671 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value. Moderate CVE-2012-0021 SUSE bug 1078450 SUSE bug 1095150 SUSE bug 743744 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858. Moderate CVE-2012-0022 SUSE bug 742477 SUSE bug 745056 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation (hw/e1000.c) in qemu-kvm 0.12, and possibly other versions, allows guest OS users to cause a denial of service (QEMU crash) and possibly execute arbitrary code via crafted legacy mode packets. Important CVE-2012-0029 SUSE bug 740165 SUSE bug 747331 SUSE bug 757537 SUSE Linux Enterprise Server 11 SP3 scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function. Moderate CVE-2012-0031 SUSE bug 741243 SUSE bug 806721 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the xfs_acl_from_disk function in fs/xfs/xfs_acl.c in the Linux kernel before 3.1.9 allows local users to cause a denial of service (panic) via a filesystem with a malformed ACL, leading to a heap-based buffer overflow. Moderate CVE-2012-0038 SUSE bug 740703 SUSE Linux Enterprise Server 11 SP3 The em_syscall function in arch/x86/kvm/emulate.c in the KVM implementation in the Linux kernel before 3.2.14 does not properly handle the 0f05 (aka syscall) opcode, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application, as demonstrated by an NASM file. Moderate CVE-2012-0045 SUSE bug 653148 SUSE bug 740969 SUSE Linux Enterprise Server 11 SP3 OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108. Moderate CVE-2012-0050 SUSE bug 739719 SUSE bug 742821 SUSE bug 758060 SUSE Linux Enterprise Server 11 SP3 protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script. Moderate CVE-2012-0053 SUSE bug 743743 SUSE Linux Enterprise Server 11 SP3 The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc/<pid>/mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper. Important CVE-2012-0056 SUSE bug 653148 SUSE bug 742028 SUSE bug 742279 SUSE Linux Enterprise Server 11 SP3 PHP before 5.3.9 has improper libxslt security settings, which allows remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension. Moderate CVE-2012-0057 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 The igmp_heard_query function in net/ipv4/igmp.c in the Linux kernel before 3.2.1 allows remote attackers to cause a denial of service (divide-by-zero error and panic) via IGMP packets. Moderate CVE-2012-0207 SUSE bug 740448 SUSE Linux Enterprise Server 11 SP3 The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier. Important CVE-2012-0217 SUSE bug 757537 SUSE bug 764077 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the xioscan_readline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through 2.0.0-b4 allows local users to execute arbitrary code via the READLINE address. Moderate CVE-2012-0219 SUSE bug 759859 SUSE Linux Enterprise Server 11 SP3 ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted offset and count values in the ResolutionUnit tag in the EXIF IFD0 of an image. Moderate CVE-2012-0247 SUSE bug 746880 SUSE bug 752879 SUSE Linux Enterprise Server 11 SP3 ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted image whose IFD contains IOP tags that all reference the beginning of the IDF. Moderate CVE-2012-0248 SUSE bug 746880 SUSE bug 752879 SUSE Linux Enterprise Server 11 SP3 The GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (crash) via a zero value in the component count of an EXIF XResolution tag in a JPEG file, which triggers an out-of-bounds read. Moderate CVE-2012-0259 SUSE bug 754749 SUSE bug 758512 SUSE Linux Enterprise Server 11 SP3 The JPEGWarningHandler function in coders/jpeg.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (memory consumption) via a JPEG image with a crafted sequence of restart markers. Moderate CVE-2012-0260 SUSE bug 754749 SUSE Linux Enterprise Server 11 SP3 The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108. Moderate CVE-2012-0390 SUSE bug 739898 SUSE Linux Enterprise Server 11 SP3 The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response. Moderate CVE-2012-0441 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2012-0442 SUSE bug 744275 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2012-0443 SUSE bug 744275 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file. Moderate CVE-2012-0444 SUSE bug 744275 SUSE bug 747912 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document. Important CVE-2012-0449 SUSE bug 744275 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger failure of an nsXBLDocumentInfo::ReadPrototypeBindings function call, related to the cycle collector's access to a hash table containing a stale XBL binding. Important CVE-2012-0452 SUSE bug 746616 SUSE bug 746663 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2012-0467 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 The browser engine in Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and SeaMonkey before 2.9 allows remote attackers to cause a denial of service (assertion failure and memory corruption) or possibly execute arbitrary code via vectors related to jsval.h and the js::array_shift function. Critical CVE-2012-0468 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the mozilla::dom::indexedDB::IDBKeyRange::cycleCollection::Trace function in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allows remote attackers to execute arbitrary code via vectors related to crafted IndexedDB data. Moderate CVE-2012-0469 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the nsSVGFEDiffuseLightingElement::LightPixel function in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allows remote attackers to cause a denial of service (invalid gfxImageSurface free operation) or possibly execute arbitrary code by leveraging the use of "different number systems." Moderate CVE-2012-0470 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allows remote attackers to inject arbitrary web script or HTML via a multibyte character set. Moderate CVE-2012-0471 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 The cairo-dwrite implementation in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9, when certain Windows Vista and Windows 7 configurations are used, does not properly restrict font-rendering attempts, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. Moderate CVE-2012-0472 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 The WebGLBuffer::FindMaxUshortElement function in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 calls the FindMaxElementInSubArray function with incorrect template arguments, which allows remote attackers to obtain sensitive information from video memory via a crafted WebGL.drawElements call. Moderate CVE-2012-0473 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in the docshell implementation in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allows remote attackers to inject arbitrary web script or HTML via vectors related to short-circuited page loads, aka "Universal XSS (UXSS)." Moderate CVE-2012-0474 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allow remote attackers to inject arbitrary web script or HTML via the (1) ISO-2022-KR or (2) ISO-2022-CN character set. Moderate CVE-2012-0477 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 The texImage2D implementation in the WebGL subsystem in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 does not properly restrict JSVAL_TO_OBJECT casts, which might allow remote attackers to execute arbitrary code via a crafted web page. Moderate CVE-2012-0478 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allow remote attackers to spoof the address bar via an https URL for invalid (1) RSS or (2) Atom XML content. Moderate CVE-2012-0479 SUSE bug 758408 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "toolkit internals references." Low CVE-2012-0547 SUSE bug 777499 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE 7 update 4 and earlier and 6 update 32 and earlier, and the GlassFish Enterprise Server component in Oracle Sun Products Suite GlassFish Enterprise Server 3.1.1, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Web Container or Deployment. Moderate CVE-2012-0551 SUSE bug 778629 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 tcsd in TrouSerS before 0.3.10 allows remote attackers to cause a denial of service (daemon crash) via a crafted type_offset value in a TCP packet to port 30003. Moderate CVE-2012-0698 SUSE bug 791029 SUSE Linux Enterprise Server 11 SP3 Adobe Shockwave Player before 11.6.4.634 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-0771. Critical CVE-2012-0759 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 The tidy_diagnose function in PHP 5.3.8 might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that attempts to perform Tidy::diagnose operations on invalid objects, a different vulnerability than CVE-2011-4153. Moderate CVE-2012-0781 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The transform_save function in transform.c in Augeas before 1.0.0 allows local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on a .augnew file. Moderate CVE-2012-0786 SUSE bug 853044 SUSE bug 885003 SUSE Linux Enterprise Server 11 SP3 The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server. Moderate CVE-2012-0788 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache. Moderate CVE-2012-0789 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the proxy_connect function in src/client.c in CVS 1.11 and 1.12 allows remote HTTP proxy servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP response. Moderate CVE-2012-0804 SUSE bug 744059 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header. Moderate CVE-2012-0807 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory. Important CVE-2012-0814 SUSE bug 744643 SUSE bug 755505 SUSE bug 770728 SUSE bug 826672 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3 Memory leak in smbd in Samba 3.6.x before 3.6.3 allows remote attackers to cause a denial of service (memory and CPU consumption) by making many connection requests. Moderate CVE-2012-0817 SUSE bug 743986 SUSE Linux Enterprise Server 11 SP3 The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885. Important CVE-2012-0830 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c. Low CVE-2012-0831 SUSE bug 733590 SUSE bug 736169 SUSE bug 738221 SUSE bug 741520 SUSE bug 741859 SUSE bug 742273 SUSE bug 742806 SUSE bug 743308 SUSE bug 744966 SUSE bug 746661 SUSE bug 749111 SUSE Linux Enterprise Server 11 SP3 libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data. Moderate CVE-2012-0841 SUSE bug 1123919 SUSE bug 748561 SUSE Linux Enterprise Server 11 SP3 SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. Moderate CVE-2012-0845 SUSE bug 747125 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA builtins.c in Xinetd before 2.3.15 does not check the service type when the tcpmux-server service is enabled, which exposes all enabled services and allows remote attackers to bypass intended access restrictions via a request to tcpmux port 1. Low CVE-2012-0862 SUSE bug 762294 SUSE bug 844230 SUSE bug 855685 SUSE Linux Enterprise Server 11 SP3 CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table. Moderate CVE-2012-0866 SUSE bug 701489 SUSE bug 749299 SUSE bug 749301 SUSE bug 749303 SUSE Linux Enterprise Server 11 SP3 CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored. Low CVE-2012-0868 SUSE bug 701489 SUSE bug 749299 SUSE bug 749301 SUSE bug 749303 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in process.c in smbd in Samba 3.0, as used in the file-sharing service on the BlackBerry PlayBook tablet before 2.0.0.7971 and other products, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a Batched (aka AndX) request that triggers infinite recursion. Important CVE-2012-0870 SUSE bug 747934 SUSE bug 752797 SUSE Linux Enterprise Server 11 SP3 SystemTap 1.7, 1.6.7, and probably other versions, when unprivileged mode is enabled, allows local users to obtain sensitive information from kernel memory or cause a denial of service (kernel panic and crash) via vectors related to crafted DWARF data, which triggers a read of an invalid pointer. Moderate CVE-2012-0875 SUSE bug 748564 SUSE Linux Enterprise Server 11 SP3 The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value. Moderate CVE-2012-0876 SUSE bug 750914 SUSE bug 751464 SUSE bug 751465 SUSE bug 983215 SUSE bug 983216 SUSE Linux Enterprise Server 11 SP3 envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl. Low CVE-2012-0883 SUSE bug 757710 SUSE Linux Enterprise Server 11 SP3 The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. Moderate CVE-2012-0884 SUSE bug 749210 SUSE bug 749735 SUSE bug 751977 SUSE bug 754640 SUSE bug 761819 SUSE Linux Enterprise Server 11 SP3-TERADATA The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x before 1.10.3 attempts to calculate a checksum before verifying that the key type is appropriate for a checksum, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free, heap memory corruption, and daemon crash) via a crafted AS-REQ request. Important CVE-2012-1015 SUSE bug 770172 SUSE Linux Enterprise Server 11 SP3 The cifs_lookup function in fs/cifs/dir.c in the Linux kernel before 3.2.10 allows local users to cause a denial of service (OOPS) via attempted access to a special file, as demonstrated by a FIFO. Moderate CVE-2012-1090 SUSE bug 749569 SUSE Linux Enterprise Server 11 SP3 The regset (aka register set) feature in the Linux kernel before 3.2.10 does not properly handle the absence of .get and .set methods, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a (1) PTRACE_GETREGSET or (2) PTRACE_SETREGSET ptrace call. Moderate CVE-2012-1097 SUSE bug 750079 SUSE Linux Enterprise Server 11 SP3 The parse function in ogg/xiphcomment.cpp in TagLib 1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted vendorLength field in an ogg file. Moderate CVE-2012-1108 SUSE bug 750689 SUSE bug 750690 SUSE bug 750691 SUSE bug 750693 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font. Moderate CVE-2012-1126 SUSE bug 750937 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font. Moderate CVE-2012-1127 SUSE bug 750947 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font. Moderate CVE-2012-1128 SUSE bug 750942 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted SFNT string in a Type 42 font. Low CVE-2012-1129 SUSE bug 750952 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font. Moderate CVE-2012-1130 SUSE bug 750951 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font. Moderate CVE-2012-1131 SUSE bug 750953 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font. Low CVE-2012-1132 SUSE bug 750950 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font. Moderate CVE-2012-1133 SUSE bug 750940 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font. Moderate CVE-2012-1134 SUSE bug 750945 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font. Low CVE-2012-1135 SUSE bug 750946 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field. Moderate CVE-2012-1136 SUSE bug 750939 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font. Moderate CVE-2012-1137 SUSE bug 750943 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font. Moderate CVE-2012-1138 SUSE bug 750941 SUSE Linux Enterprise Server 11 SP3 Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font. Low CVE-2012-1139 SUSE bug 750938 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object. Moderate CVE-2012-1140 SUSE bug 750954 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font. Low CVE-2012-1141 SUSE bug 750955 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font. Moderate CVE-2012-1142 SUSE bug 750948 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font. Moderate CVE-2012-1143 SUSE bug 750949 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font. Moderate CVE-2012-1144 SUSE bug 750944 SUSE Linux Enterprise Server 11 SP3 The mem_cgroup_usage_unregister_event function in mm/memcontrol.c in the Linux kernel before 3.2.10 does not properly handle multiple events that are attached to the same eventfd, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by registering memory threshold events. Moderate CVE-2012-1146 SUSE bug 750959 SUSE Linux Enterprise Server 11 SP3 readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files. Moderate CVE-2012-1147 SUSE bug 750914 SUSE bug 751464 SUSE bug 751465 SUSE Linux Enterprise Server 11 SP3 Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities. Important CVE-2012-1148 SUSE bug 750914 SUSE bug 751464 SUSE bug 751465 SUSE Linux Enterprise Server 11 SP3 Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. Moderate CVE-2012-1150 SUSE bug 751718 SUSE bug 755383 SUSE bug 826682 SUSE Linux Enterprise Server 11 SP3 slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. Moderate CVE-2012-1164 SUSE bug 751945 SUSE Linux Enterprise Server 11 SP3 The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. Moderate CVE-2012-1165 SUSE bug 749210 SUSE bug 749213 SUSE bug 751946 SUSE bug 754640 SUSE Linux Enterprise Server 11 SP3 The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions. Moderate CVE-2012-1172 SUSE bug 752030 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow. Moderate CVE-2012-1173 SUSE bug 753362 SUSE bug 767852 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 The Linux kernel before 3.3.1, when KVM is used, allows guest OS users to cause a denial of service (host OS crash) by leveraging administrative access to the guest OS, related to the pmd_none_or_clear_bad function and page faults for huge pages. Moderate CVE-2012-1179 SUSE bug 653148 SUSE bug 752599 SUSE Linux Enterprise Server 11 SP3 The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call. Important CVE-2012-1182 SUSE bug 747934 SUSE bug 752797 SUSE bug 754443 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in (1) magick/profile.c or (2) magick/property.c in ImageMagick 6.7.5 and earlier allow remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted offset value in the ResolutionUnit tag in the EXIF IFD0 of an image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0247. Moderate CVE-2012-1185 SUSE bug 752879 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the SyncImageProfiles function in profile.c in ImageMagick 6.7.5-8 and earlier allows remote attackers to cause a denial of service (infinite loop) via crafted IOP tag offsets in the IFD in an image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0248. Moderate CVE-2012-1186 SUSE bug 752879 SUSE Linux Enterprise Server 11 SP3 The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast! Antivirus 4.8.1351.0 and 5.0.677.0, AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Quick Heal (aka Cat QuickHeal) 11.00, ClamAV 0.96.4, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5.1.0.1, eSafe 7.0.17.0, F-Prot Antivirus 4.6.2.117, G Data AntiVirus 21, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, K7 AntiVirus 9.77.3565, Kaspersky Anti-Virus 7.0.0.125, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, Antimalware Engine 1.1.6402.0 in Microsoft Security Essentials 2.0, NOD32 Antivirus 5795, Norman Antivirus 6.06.12, PC Tools AntiVirus 7.0.3.5, Rising Antivirus 22.83.00.03, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Trend Micro AntiVirus 9.120.0.1004, Trend Micro HouseCall 9.120.0.1004, VBA32 3.12.14.2, and VirusBuster 13.6.151.0 allows remote attackers to bypass malware detection via a TAR archive entry with a length field that exceeds the total TAR file size. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations. Moderate CVE-2012-1457 SUSE bug 753611 SUSE bug 767574 SUSE Linux Enterprise Server 11 SP3 The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allows remote attackers to bypass malware detection via a crafted reset interval in the LZXC header of a CHM file. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different CHM parser implementations. Moderate CVE-2012-1458 SUSE bug 753613 SUSE bug 767574 SUSE Linux Enterprise Server 11 SP3 The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast! Antivirus 4.8.1351.0 and 5.0.677.0, AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Quick Heal (aka Cat QuickHeal) 11.00, ClamAV 0.96.4, Command Antivirus 5.2.11.5, Comodo Antivirus 7424, Emsisoft Anti-Malware 5.1.0.1, F-Prot Antivirus 4.6.2.117, F-Secure Anti-Virus 9.0.16160.0, Fortinet Antivirus 4.2.254.0, G Data AntiVirus 21, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, K7 AntiVirus 9.77.3565, Kaspersky Anti-Virus 7.0.0.125, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, Antimalware Engine 1.1.6402.0 in Microsoft Security Essentials 2.0, NOD32 Antivirus 5795, Norman Antivirus 6.06.12, nProtect Anti-Virus 2011-01-17.01, Panda Antivirus 10.0.2.7, PC Tools AntiVirus 7.0.3.5, Rising Antivirus 22.83.00.03, Sophos Anti-Virus 4.61.0, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Trend Micro AntiVirus 9.120.0.1004, Trend Micro HouseCall 9.120.0.1004, VBA32 3.12.14.2, and VirusBuster 13.6.151.0 allows remote attackers to bypass malware detection via a TAR archive entry with a length field corresponding to that entire entry, plus part of the header of the next entry. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations. Moderate CVE-2012-1459 SUSE bug 753610 SUSE bug 767574 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in the PyPAM_conv in PAMmodule.c in PyPam 0.5.0 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a NULL byte in a password string. Moderate CVE-2012-1502 SUSE bug 751005 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier; and JavaFX 2.2 and earlier; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2012-1531 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier and 6 Update 35 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Important CVE-2012-1532 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-3159. Moderate CVE-2012-1533 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from a third party that the issue is due to an interaction error in between the JRE plug-in for WebKit-based browsers and the Javascript engine, which allows remote attackers to execute arbitrary code by modifying DOM nodes that contain applet elements in a way that triggers an incorrect reference count and a use after free. Moderate CVE-2012-1541 SUSE bug 798535 SUSE bug 806786 SUSE bug 818972 SUSE Linux Enterprise Server 11 SP3 The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure. Moderate CVE-2012-1569 SUSE bug 752193 SUSE bug 753301 SUSE bug 924966 SUSE Linux Enterprise Server 11 SP3 gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure. Moderate CVE-2012-1573 SUSE bug 752193 SUSE bug 754223 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the mid function in toolkit/tbytevector.cpp in TagLib 1.7 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted file header field in a media file, which triggers a large memory allocation. Moderate CVE-2012-1584 SUSE bug 750689 SUSE bug 750690 SUSE bug 750691 SUSE bug 750693 SUSE Linux Enterprise Server 11 SP3 mount.cifs in cifs-utils 2.6 allows local users to determine the existence of arbitrary files or directories via the file path in the second argument, which reveals their existence in an error message. Moderate CVE-2012-1586 SUSE bug 754443 SUSE Linux Enterprise Server 11 SP3 epan/dissectors/packet-ansi_a.c in the ANSI A dissector in Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed packet. Moderate CVE-2012-1593 SUSE bug 754477 SUSE Linux Enterprise Server 11 SP3 The pcap_process_pseudo_header function in wiretap/pcap-common.c in Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (application crash) via a WTAP_ENCAP_ERF file containing an Extension or Multi-Channel header with an invalid pseudoheader size, related to the pcap and pcap-ng file parsers. Moderate CVE-2012-1595 SUSE bug 754476 SUSE Linux Enterprise Server 11 SP3 The mp2t_process_fragmented_payload function in epan/dissectors/packet-mp2t.c in the MP2T dissector in Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (application crash) via a packet containing an invalid pointer value that triggers an incorrect memory-allocation attempt. Moderate CVE-2012-1596 SUSE bug 754474 SUSE Linux Enterprise Server 11 SP3 The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. Moderate CVE-2012-1601 SUSE bug 653148 SUSE bug 754898 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-4 allows remote attackers to cause a denial of service (out-of-bounds read) via a large component count for certain EXIF tags in a JPEG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0259. Moderate CVE-2012-1610 SUSE bug 754749 SUSE bug 758512 SUSE Linux Enterprise Server 11 SP3 ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service (daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record. Moderate CVE-2012-1667 SUSE bug 765315 SUSE bug 792926 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder." Important CVE-2012-1682 SUSE bug 777499 SUSE bug 780897 SUSE bug 785433 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, 1.4.2_37 and earlier, and JavaFX 2.1 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2012-1713 SUSE bug 766802 SUSE bug 778629 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update 35 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Swing. Important CVE-2012-1716 SUSE bug 766802 SUSE bug 778629 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows local users to affect confidentiality via unknown vectors related to printing on Solaris or Linux. Moderate CVE-2012-1717 SUSE bug 766802 SUSE bug 778629 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect availability via unknown vectors related to Security. Moderate CVE-2012-1718 SUSE bug 778629 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect integrity, related to CORBA. Moderate CVE-2012-1719 SUSE bug 766802 SUSE bug 778629 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-1722. Important CVE-2012-1721 SUSE bug 778629 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-1721. Important CVE-2012-1722 SUSE bug 778629 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update 35 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. Important CVE-2012-1725 SUSE bug 766802 SUSE bug 778629 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. Moderate CVE-2012-1726 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 The TIFFGetEXIFProperties function in coders/tiff.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted EXIF IFD in a TIFF image. Moderate CVE-2012-1798 SUSE bug 754749 SUSE Linux Enterprise Server 11 SP3 sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. Important CVE-2012-1823 SUSE bug 760536 SUSE bug 761631 SUSE bug 850694 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2012-1937 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 jsinfer.cpp in Mozilla Firefox ESR 10.x before 10.0.5 and Thunderbird ESR 10.x before 10.0.5 does not properly determine data types, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted JavaScript code. Critical CVE-2012-1939 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsFrameList::FirstChild function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) by changing the size of a container of absolutely positioned elements in a column. Important CVE-2012-1940 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the nsHTMLReflowState::CalculateHypotheticalBox function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code by resizing a window displaying absolutely positioned and relatively positioned elements in nested columns. Critical CVE-2012-1941 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 The Content Security Policy (CSP) implementation in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 does not block inline event handlers, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document. Moderate CVE-2012-1944 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow local users to obtain sensitive information via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME element, as demonstrated by a network share implemented by (1) Microsoft Windows or (2) Samba. Moderate CVE-2012-1945 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsINode::ReplaceOrInsertBefore function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 might allow remote attackers to execute arbitrary code via document changes involving replacement or insertion of a node. Important CVE-2012-1946 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the utf16_to_isolatin1 function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code via vectors that trigger a character-set conversion failure. Critical CVE-2012-1947 SUSE bug 765204 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2012-1948 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2012-1949 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 The drag-and-drop implementation in Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 allows remote attackers to spoof the address bar by canceling a page load. Important CVE-2012-1950 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsSMILTimeValueSpec::IsEventBased function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code by interacting with objects used for SMIL Timing. Important CVE-2012-1951 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 The nsTableFrame::InsertFrames function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly perform a cast of a frame variable during processing of mixed row-group and column-group frames, which might allow remote attackers to execute arbitrary code via a crafted web site. Critical CVE-2012-1952 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 The ElementAnimations::EnsureStyleRuleFor function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (buffer over-read, incorrect pointer dereference, and heap-based buffer overflow) or possibly execute arbitrary code via a crafted web site. Critical CVE-2012-1953 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsDocument::AdoptNode function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via vectors involving multiple adoptions and empty documents. Critical CVE-2012-1954 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allow remote attackers to spoof the address bar via vectors involving history.forward and history.back calls. Important CVE-2012-1955 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 do not prevent use of the Object.defineProperty method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. Moderate CVE-2012-1956 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 An unspecified parser-utility class in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly handle EMBED elements within description elements in RSS feeds, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a feed. Important CVE-2012-1957 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsGlobalWindow::PageHidden function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 might allow remote attackers to execute arbitrary code via vectors related to focused content. Important CVE-2012-1958 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not consider the presence of same-compartment security wrappers (SCSW) during the cross-compartment wrapping of objects, which allows remote attackers to bypass intended XBL access restrictions via crafted content. Important CVE-2012-1959 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 The qcms_transform_data_rgb_out_lut_sse2 function in the QCMS implementation in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 might allow remote attackers to obtain sensitive information from process memory via a crafted color profile that triggers an out-of-bounds read operation. Low CVE-2012-1960 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not properly handle duplicate values in X-Frame-Options headers, which makes it easier for remote attackers to conduct clickjacking attacks via a FRAME element referencing a web site that produces these duplicate values. Important CVE-2012-1961 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the JSDependentString::undepend function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via vectors involving strings with multiple dependencies. Important CVE-2012-1962 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation. Important CVE-2012-1963 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 The certificate-warning functionality in browser/components/certerror/content/aboutCertError.xhtml in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.10 does not properly handle attempted clickjacking of the about:certerror page, which allows man-in-the-middle attackers to trick users into adding an unintended exception via an IFRAME element. Important CVE-2012-1964 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do not properly establish the security context of a feed: URL, which allows remote attackers to bypass unspecified cross-site scripting (XSS) protection mechanisms via a feed:javascript: URL. Important CVE-2012-1965 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do not have the same context-menu restrictions for data: URLs as for javascript: URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. Important CVE-2012-1966 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not properly implement the JavaScript sandbox utility, which allows remote attackers to execute arbitrary JavaScript code with improper privileges via a javascript: URL. Important CVE-2012-1967 SUSE bug 771583 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2012-1970 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsHTMLEditor::CollapseAdjacentTextNodes function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Important CVE-2012-1972 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsObjectLoadingContent::LoadObject function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-1973 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the gfxTextRun::CanBreakLineBefore function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-1974 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the PresShell::CompleteMove function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-1975 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsHTMLSelectElement::SubmitNamesValues function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-1976 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations. Moderate CVE-2012-1987 SUSE bug 755870 SUSE Linux Enterprise Server 11 SP3 Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request. Moderate CVE-2012-1988 SUSE bug 755869 SUSE bug 757047 SUSE Linux Enterprise Server 11 SP3 telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users to overwrite arbitrary files via a symlink attack on the NET::Telnet connection log (/tmp/out.log). Moderate CVE-2012-1989 SUSE bug 755871 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow. Moderate CVE-2012-2088 SUSE bug 767854 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs. Low CVE-2012-2098 SUSE bug 763820 SUSE Linux Enterprise Server 11 SP3 The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. Important CVE-2012-2110 SUSE bug 758060 SUSE bug 778825 SUSE Linux Enterprise Server 11 SP3 The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection. Moderate CVE-2012-2111 SUSE bug 754443 SUSE bug 757576 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in tiff2pdf in libtiff before 4.0.2 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. Moderate CVE-2012-2113 SUSE bug 767852 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the macvtap device driver in the Linux kernel before 3.4.5, when running in certain configurations, allows privileged KVM guest users to cause a denial of service (crash) via a long descriptor with a long vector length. Moderate CVE-2012-2119 SUSE bug 758243 SUSE Linux Enterprise Server 11 SP3 sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value. Important CVE-2012-2122 SUSE bug 765092 SUSE bug 766428 SUSE Linux Enterprise Server 11 SP3 Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110. Moderate CVE-2012-2131 SUSE bug 758060 SUSE Linux Enterprise Server 11 SP3 libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection. Moderate CVE-2012-2132 SUSE bug 758431 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the Linux kernel before 3.3.6, when huge pages are enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges by interacting with a hugetlbfs filesystem, as demonstrated by a umount operation that triggers improper handling of quota data. Moderate CVE-2012-2133 SUSE bug 653148 SUSE bug 758532 SUSE Linux Enterprise Server 11 SP3 The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel before 3.4.5 does not properly validate a certain length value, which allows local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. Moderate CVE-2012-2136 SUSE bug 765320 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Linux kernel before 3.2.24 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to Message Signaled Interrupts (MSI), irq routing entries, and an incorrect check by the setup_routing_entry function before invoking the kvm_set_irq function. Moderate CVE-2012-2137 SUSE bug 767612 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 Array index error in the handle_nsExtendOutput2Table function in agent/mibgroup/agent/extend.c in Net-SNMP 5.7.1 allows remote authenticated users to cause a denial of service (out-of-bounds read and snmpd crash) via an SNMP GET request for an entry not in the extension table. Moderate CVE-2012-2141 SUSE bug 759352 SUSE bug 826684 SUSE Linux Enterprise Server 11 SP3 The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. Moderate CVE-2012-2143 SUSE bug 766797 SUSE bug 766798 SUSE bug 766799 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA xfs_metadump in xfsprogs before 3.2.4 does not properly obfuscate file data, which allows remote attackers to obtain sensitive information by reading a generated image. Low CVE-2012-2150 SUSE bug 939367 SUSE Linux Enterprise Server 11 SP3 sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. Important CVE-2012-2311 SUSE bug 760536 SUSE bug 761631 SUSE Linux Enterprise Server 11 SP3 Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. Moderate CVE-2012-2333 SUSE bug 761838 SUSE bug 763341 SUSE bug 905106 SUSE Linux Enterprise Server 11 SP3 php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence. Moderate CVE-2012-2335 SUSE bug 761631 SUSE Linux Enterprise Server 11 SP3 sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. Important CVE-2012-2336 SUSE bug 761631 SUSE Linux Enterprise Server 11 SP3 sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not properly support configurations that use a netmask syntax, which allows local users to bypass intended command restrictions in opportunistic circumstances by executing a command on a host that has an IPv4 address. Important CVE-2012-2337 SUSE bug 762327 SUSE bug 826687 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in the read_bitmap_file_data function in io-xbm.c in gdk-pixbuf before 2.26.1 allow remote attackers to cause a denial of service (application crash) via a negative (1) height or (2) width in an XBM file, which triggers a heap-based buffer overflow. Moderate CVE-2012-2370 SUSE bug 762735 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interface's own IP address, as demonstrated by rds-ping. Moderate CVE-2012-2372 SUSE bug 653148 SUSE bug 767610 SUSE bug 795039 SUSE Linux Enterprise Server 11 SP3 The Linux kernel before 3.4.5 on the x86 platform, when Physical Address Extension (PAE) is enabled, does not properly use the Page Middle Directory (PMD), which allows local users to cause a denial of service (panic) via a crafted application that triggers a race condition. Moderate CVE-2012-2373 SUSE bug 653148 SUSE bug 762991 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow. Moderate CVE-2012-2386 SUSE bug 763814 SUSE Linux Enterprise Server 11 SP3 Memory leak in mm/hugetlb.c in the Linux kernel before 3.4.2 allows local users to cause a denial of service (memory consumption or system crash) via invalid MAP_HUGETLB mmap operations. Moderate CVE-2012-2390 SUSE bug 653148 SUSE bug 764150 SUSE Linux Enterprise Server 11 SP3 Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 allows remote attackers to cause a denial of service (infinite loop) via vectors related to the (1) ANSI MAP, (2) ASF, (3) IEEE 802.11, (4) IEEE 802.3, and (5) LTP dissectors. Moderate CVE-2012-2392 SUSE bug 763634 SUSE bug 763855 SUSE bug 769578 SUSE Linux Enterprise Server 11 SP3 epan/dissectors/packet-diameter.c in the DIAMETER dissector in Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 does not properly construct certain array data structures, which allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers incorrect memory allocation. Moderate CVE-2012-2393 SUSE bug 763634 SUSE bug 763855 SUSE bug 763857 SUSE Linux Enterprise Server 11 SP3 Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 on the SPARC and Itanium platforms does not properly perform data alignment for a certain structure member, which allows remote attackers to cause a denial of service (application crash) via a (1) ICMP or (2) ICMPv6 Echo Request packet. Moderate CVE-2012-2394 SUSE bug 763634 SUSE bug 763859 SUSE Linux Enterprise Server 11 SP3 The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial of service (memory consumption) via a large (1) bzip2 or (2) lzma compressed kernel image. Moderate CVE-2012-2625 SUSE bug 762484 SUSE bug 773393 SUSE bug 773401 SUSE bug 787163 SUSE Linux Enterprise Server 11 SP3 The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file. Moderate CVE-2012-2652 SUSE bug 764526 SUSE Linux Enterprise Server 11 SP3 PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler. Moderate CVE-2012-2655 SUSE bug 765069 SUSE Linux Enterprise Server 11 SP3 extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant. Moderate CVE-2012-2663 SUSE bug 765102 SUSE bug 765488 SUSE Linux Enterprise Server 11 SP3 The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.4.5, does not validate the origin of Netlink messages, which allows local users to spoof Netlink communication via a crafted connector message. Moderate CVE-2012-2669 SUSE bug 761200 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. Low CVE-2012-2687 SUSE bug 777260 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow." Moderate CVE-2012-2688 SUSE bug 772582 SUSE Linux Enterprise Server 11 SP3 java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data. Moderate CVE-2012-2733 SUSE bug 789406 SUSE Linux Enterprise Server 11 SP3 The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call. Moderate CVE-2012-2745 SUSE bug 653148 SUSE bug 770695 SUSE bug 795039 SUSE Linux Enterprise Server 11 SP3 ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031. Moderate CVE-2012-2751 SUSE bug 768293 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the get_sos function in jdmarker.c in libjpeg-turbo 1.2.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large component count in the header of a JPEG image. Moderate CVE-2012-2806 SUSE bug 771791 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in libxml2, as used in Google Chrome before 20.0.1132.43 and other products, on 64-bit Linux platforms allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. Moderate CVE-2012-2807 SUSE bug 1123919 SUSE bug 769181 SUSE bug 769184 SUSE Linux Enterprise Server 11 SP3 The exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. Moderate CVE-2012-2812 SUSE bug 771229 SUSE bug 831515 SUSE Linux Enterprise Server 11 SP3 The exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. Moderate CVE-2012-2813 SUSE bug 771229 SUSE bug 831515 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the exif_entry_format_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image. Moderate CVE-2012-2814 SUSE bug 771229 SUSE bug 831515 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors. Moderate CVE-2012-2825 SUSE bug 769181 SUSE bug 769182 SUSE bug 849019 SUSE Linux Enterprise Server 11 SP3 The exif_data_load_data function in exif-data.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. Moderate CVE-2012-2836 SUSE bug 771229 SUSE bug 831515 SUSE Linux Enterprise Server 11 SP3 The mnote_olympus_entry_get_value function in olympus/mnote-olympus-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (divide-by-zero error) via an image with crafted EXIF tags that are not properly handled during the formatting of EXIF maker note tags. Moderate CVE-2012-2837 SUSE bug 771229 SUSE bug 831515 SUSE Linux Enterprise Server 11 SP3 Off-by-one error in the exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image. Moderate CVE-2012-2840 SUSE bug 771229 SUSE bug 831515 SUSE Linux Enterprise Server 11 SP3 Integer underflow in the exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 might allow remote attackers to execute arbitrary code via vectors involving a crafted buffer-size parameter during the formatting of an EXIF tag, leading to a heap-based buffer overflow. Moderate CVE-2012-2841 SUSE bug 771229 SUSE bug 831515 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the addchar function in common/parseconf.c in upsd in Network UPS Tools (NUT) before 2.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (electric-power outage) via a long string containing non-printable characters. Important CVE-2012-2944 SUSE bug 764699 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-1682. Important CVE-2012-3136 SUSE bug 777499 SUSE bug 780897 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JMX, a different vulnerability than CVE-2012-5089. Important CVE-2012-3143 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-1533. Moderate CVE-2012-3159 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114. Moderate CVE-2012-3174 SUSE bug 798324 SUSE bug 798521 SUSE bug 798535 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Scripting. Important CVE-2012-3213 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries. Low CVE-2012-3216 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Important CVE-2012-3342 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors. Moderate CVE-2012-3365 SUSE bug 772580 SUSE bug 772582 SUSE Linux Enterprise Server 11 SP3 sfcb in sblim-sfcb places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. Moderate CVE-2012-3381 SUSE bug 770234 SUSE Linux Enterprise Server 11 SP3 Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message. Moderate CVE-2012-3382 SUSE bug 769799 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors. Moderate CVE-2012-3386 SUSE bug 770618 SUSE bug 786745 SUSE Linux Enterprise Server 11 SP3 The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not properly initialize the T2P context struct pointer in certain error conditions, which allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers a heap-based buffer overflow. Moderate CVE-2012-3401 SUSE bug 770816 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value. Important CVE-2012-3412 SUSE bug 774523 SUSE Linux Enterprise Server 11 SP3 The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image. Moderate CVE-2012-3425 SUSE bug 772760 SUSE bug 854395 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom or (2) recvmsg system call on an RDS socket. Moderate CVE-2012-3430 SUSE bug 653148 SUSE bug 773383 SUSE bug 795039 SUSE Linux Enterprise Server 11 SP3 The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations emulator for Xen 3.3 and 4.x, when running an HVM guest, does not properly reset certain state information between emulation cycles, which allows local guest OS users to cause a denial of service (guest OS crash) via unspecified operations on MMIO regions. Moderate CVE-2012-3432 SUSE bug 773393 SUSE bug 773401 SUSE Linux Enterprise Server 11 SP3 Xen 4.0 and 4.1 allows local HVM guest OS kernels to cause a denial of service (domain 0 VCPU hang and kernel panic) by modifying the physical address space in a way that triggers excessive shared page search time during the p2m teardown. Moderate CVE-2012-3433 SUSE bug 773393 SUSE bug 773401 SUSE Linux Enterprise Server 11 SP3 The Magick_png_malloc function in coders/png.c in ImageMagick 6.7.8 and earlier does not use the proper variable type for the allocation size, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG file that triggers incorrect memory allocation. Moderate CVE-2012-3437 SUSE bug 773612 SUSE bug 785093 SUSE bug 905260 SUSE Linux Enterprise Server 11 SP3 The virTypedParameterArrayClear function in libvirt 0.9.13 does not properly handle virDomain* API calls with typed parameters, which might allow remote authenticated users to cause a denial of service (libvirtd crash) via an RPC command with nparams set to zero, which triggers an out-of-bounds read or a free of an invalid pointer. Moderate CVE-2012-3445 SUSE bug 773955 SUSE Linux Enterprise Server 11 SP3 The (1) otrl_base64_otr_decode function in src/b64.c; (2) otrl_proto_data_read_flags and (3) otrl_proto_accept_data functions in src/proto.c; and (4) decode function in toolkit/parse.c in libotr before 3.2.1 allocates a zero-length buffer when decoding a base64 string, which allows remote attackers to cause a denial of service (application crash) via a message with the value "?OTR:===.", which triggers a heap-based buffer overflow. Moderate CVE-2012-3461 SUSE bug 777468 SUSE bug 789190 SUSE Linux Enterprise Server 11 SP3-TERADATA Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in the base64 decoder, or (2) obtain sensitive information from memory via an NTLM Type 2 message with a crafted Target Name structure, which triggers an out-of-bounds read. Moderate CVE-2012-3482 SUSE bug 775988 SUSE Linux Enterprise Server 11 SP3 The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue. Moderate CVE-2012-3488 SUSE bug 776523 SUSE Linux Enterprise Server 11 SP3 The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue. Low CVE-2012-3489 SUSE bug 776524 SUSE Linux Enterprise Server 11 SP3 The set_debugreg hypercall in include/asm-x86/debugreg.h in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when running on x86-64 systems, allows local OS guest users to cause a denial of service (host crash) by writing to the reserved bits of the DR7 debug control register. Moderate CVE-2012-3494 SUSE bug 777090 SUSE Linux Enterprise Server 11 SP3 The physdev_get_free_pirq hypercall in arch/x86/physdev.c in Xen 4.1.x and Citrix XenServer 6.0.2 and earlier uses the return value of the get_free_pirq function as an array index without checking that the return value indicates an error, which allows guest OS users to cause a denial of service (invalid memory write and host crash) and possibly gain privileges via unspecified vectors. Moderate CVE-2012-3495 SUSE bug 777088 SUSE Linux Enterprise Server 11 SP3 XENMEM_populate_physmap in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when translating paging mode is not used, allows local PV OS guest kernels to cause a denial of service (BUG triggered and host crash) via invalid flags such as MEMF_populate_on_demand. Moderate CVE-2012-3496 SUSE bug 777091 SUSE Linux Enterprise Server 11 SP3 (1) TMEMC_SAVE_GET_CLIENT_WEIGHT, (2) TMEMC_SAVE_GET_CLIENT_CAP, (3) TMEMC_SAVE_GET_CLIENT_FLAGS and (4) TMEMC_SAVE_END in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (NULL pointer dereference or memory corruption and host crash) or possibly have other unspecified impacts via a NULL client id. Moderate CVE-2012-3497 SUSE bug 777890 SUSE Linux Enterprise Server 11 SP3 PHYSDEVOP_map_pirq in Xen 4.1 and 4.2 and Citrix XenServer 6.0.2 and earlier allows local HVM guest OS kernels to cause a denial of service (host crash) and possibly read hypervisor or guest memory via vectors related to a missing range check of map->index. Moderate CVE-2012-3498 SUSE bug 777086 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. Moderate CVE-2012-3499 SUSE bug 806458 SUSE bug 807511 SUSE Linux Enterprise Server 11 SP3 Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space." Important CVE-2012-3515 SUSE bug 777084 SUSE Linux Enterprise Server 11 SP3 libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus." Important CVE-2012-3524 SUSE bug 697105 SUSE bug 852781 SUSE bug 912016 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2012-3543 SUSE bug 739119 SUSE bug 963818 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data. Moderate CVE-2012-3544 SUSE bug 822177 SUSE bug 831119 SUSE bug 865746 SUSE Linux Enterprise Server 11 SP3 org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI. Moderate CVE-2012-3546 SUSE bug 793394 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in ISC DHCP 4.2.x before 4.2.4-P1, when DHCPv6 mode is enabled, allows remote attackers to cause a denial of service (segmentation fault and daemon exit) via a crafted client identifier parameter. Moderate CVE-2012-3570 SUSE bug 772924 SUSE Linux Enterprise Server 11 SP3 ISC DHCP 4.1.2 through 4.2.4 and 4.1-ESV before 4.1-ESV-R6 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed client identifier. Moderate CVE-2012-3571 SUSE bug 772924 SUSE Linux Enterprise Server 11 SP3 ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation is enabled, does not properly initialize the failing-query cache, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) by sending many queries. Moderate CVE-2012-3817 SUSE bug 772945 SUSE bug 792926 SUSE Linux Enterprise Server 11 SP3 Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request. Moderate CVE-2012-3864 SUSE bug 770828 SUSE Linux Enterprise Server 11 SP3 Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. Moderate CVE-2012-3865 SUSE bug 770829 SUSE Linux Enterprise Server 11 SP3 lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences. Moderate CVE-2012-3867 SUSE bug 770833 SUSE Linux Enterprise Server 11 SP3 Multiple memory leaks in ISC DHCP 4.1.x and 4.2.x before 4.2.4-P1 and 4.1-ESV before 4.1-ESV-R6 allow remote attackers to cause a denial of service (memory consumption) by sending many requests. Moderate CVE-2012-3954 SUSE bug 772924 SUSE Linux Enterprise Server 11 SP3 ISC DHCP 4.1.x before 4.1-ESV-R7 and 4.2.x before 4.2.4-P2 allows remote attackers to cause a denial of service (daemon crash) in opportunistic circumstances by establishing an IPv6 lease in an environment where the lease expiration time is later reduced. Moderate CVE-2012-3955 SUSE bug 780167 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the MediaStreamGraphThreadRunnable::Run function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-3956 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the nsBlockFrame::MarkLineDirty function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via unspecified vectors. Critical CVE-2012-3957 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsHTMLEditRules::DeleteNonTableElements function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-3958 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsRangeUpdater::SelAdjDeleteNode function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-3959 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the mozSpellChecker::SetCurrentDictionary function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-3960 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the RangeData implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-3961 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 do not properly iterate through the characters in a text run, which allows remote attackers to execute arbitrary code via a crafted document. Critical CVE-2012-3962 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the js::gc::MapAllocToTraceKind function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via unspecified vectors. Critical CVE-2012-3963 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the gfxTextRun::GetUserData function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-3964 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a negative height value in a BMP image within a .ICO file, related to (1) improper handling of the transparency bitmask by the nsICODecoder component and (2) improper processing of the alpha channel by the nsBMPDecoder component. Important CVE-2012-3966 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 The WebGL implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 on Linux, when a large number of sampler uniforms are used, does not properly interact with Mesa drivers, which allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a crafted web site. Important CVE-2012-3967 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the WebGL implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via vectors related to deletion of a fragment shader by its accessor. Critical CVE-2012-3968 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the nsSVGFEMorphologyElement::Filter function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via a crafted SVG filter that triggers an incorrect sum calculation, leading to a heap-based buffer overflow. Important CVE-2012-3969 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsTArray_base::Length function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving movement of a requiredFeatures attribute from one SVG document to another. Critical CVE-2012-3970 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 The format-number functionality in the XSLT implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to obtain sensitive information via unspecified vectors that trigger a heap-based buffer over-read. Moderate CVE-2012-3972 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, and SeaMonkey before 2.12 do not properly handle onLocationChange events during navigation between different https sites, which allows remote attackers to spoof the X.509 certificate information in the address bar via a crafted web page. Moderate CVE-2012-3976 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 The nsLocation::CheckURL function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 does not properly follow the security model of the location object, which allows remote attackers to bypass intended content-loading restrictions or possibly have unspecified other impact via vectors involving chrome code. Moderate CVE-2012-3978 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 The web console in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, and Thunderbird ESR 10.x before 10.0.7 allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that injects this code and triggers an eval operation. Moderate CVE-2012-3980 SUSE bug 777588 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2012-3982 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly restrict calls to DOMWindowUtils (aka nsDOMWindowUtils) methods, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code. Moderate CVE-2012-3986 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 might allow user-assisted remote attackers to execute arbitrary code via vectors involving use of mozRequestFullScreen to enter full-screen mode, and use of the history.back method for backwards history navigation. Moderate CVE-2012-3988 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the IME State Manager implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code via unspecified vectors, related to the nsIContent::GetNameSpaceID function. Moderate CVE-2012-3990 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly restrict JSAPI access to the GetProperty function, which allows remote attackers to bypass the Same Origin Policy and possibly have unspecified other impact via a crafted web site. Moderate CVE-2012-3991 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly manage history data, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive POST content via vectors involving a location.hash write operation and history navigation that triggers the loading of a URL into the history object. Moderate CVE-2012-3992 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not properly interact with failures of InstallTrigger methods, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site, related to an "XrayWrapper pollution" issue. Moderate CVE-2012-3993 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allow remote attackers to conduct cross-site scripting (XSS) attacks via a binary plugin that uses Object.defineProperty to shadow the top object, and leverages the relationship between top.location and the location property. Moderate CVE-2012-3994 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 The IsCSSWordSpacingSpace function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. Moderate CVE-2012-3995 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 The PPP dissector in Wireshark 1.4.x before 1.4.14, 1.6.x before 1.6.9, and 1.8.x before 1.8.1 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via a crafted packet, as demonstrated by a usbmon dump. Moderate CVE-2012-4048 SUSE bug 772738 SUSE Linux Enterprise Server 11 SP3 epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.4.x before 1.4.14, 1.6.x before 1.6.9, and 1.8.x before 1.8.1 allows remote attackers to cause a denial of service (loop and CPU consumption) via a crafted packet. Moderate CVE-2012-4049 SUSE bug 772738 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsHTMLCSSUtils::CreateCSSPropertyTxn function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-4179 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the nsHTMLEditor::IsPrevCharInNodeWhitespace function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code via unspecified vectors. Critical CVE-2012-4180 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsSMILAnimationController::DoSample function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-4181 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsTextEditRules::WillInsert function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-4182 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the DOMSVGTests::GetRequiredFeatures function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-4183 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not prevent access to properties of a prototype for a standard class, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site. Critical CVE-2012-4184 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the nsCharTraits::length function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Moderate CVE-2012-4185 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the nsWaveReader::DecodeAudioData function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code via unspecified vectors. Critical CVE-2012-4186 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly manage a certain insPos variable, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and assertion failure) via unspecified vectors. Critical CVE-2012-4187 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the Convolve3x3 function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code via unspecified vectors. Critical CVE-2012-4188 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox 16.0, Thunderbird 16.0, and SeaMonkey 2.13 allow remote attackers to bypass the Same Origin Policy and read the properties of a Location object via a crafted web site, a related issue to CVE-2012-4193. Important CVE-2012-4192 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. Important CVE-2012-4193 SUSE bug 783533 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. Moderate CVE-2012-4194 SUSE bug 786522 SUSE Linux Enterprise Server 11 SP3 The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior. Moderate CVE-2012-4195 SUSE bug 786522 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. Moderate CVE-2012-4196 SUSE bug 786522 SUSE Linux Enterprise Server 11 SP3 The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on. Moderate CVE-2012-4201 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the image::RasterImage::DrawFrameTo function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code via a crafted GIF image. Important CVE-2012-4202 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 The HZ-GB-2312 character-set implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 does not properly handle a ~ (tilde) character in proximity to a chunk delimiter, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document. Moderate CVE-2012-4207 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 do not prevent use of a "top" frame name-attribute value to access the location property, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a binary plugin. Moderate CVE-2012-4209 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 The Style Inspector in Mozilla Firefox before 17.0 and Firefox ESR 10.x before 10.0.11 does not properly restrict the context of HTML markup and Cascading Style Sheets (CSS) token sequences, which allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted stylesheet. Important CVE-2012-4210 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the XPCWrappedNative::Mark function in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Important CVE-2012-4212 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsEditor::FindNextLeafNode function in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-4213 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsTextEditorState::PrepareEditor function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-5840. Important CVE-2012-4214 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsPlaintextEditor::FireClipboardEvent function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-4215 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the gfxFont::GetFontEntry function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-4216 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsViewManager::ProcessPendingUpdates function in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-4217 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the BuildTextRunsScanner::BreakSink::SetBreaks function in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2012-4218 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record. Important CVE-2012-4244 SUSE bug 780157 SUSE bug 792926 SUSE Linux Enterprise Server 11 SP3 The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the DCP ETSI dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a zero-length message. Moderate CVE-2012-4285 SUSE bug 776083 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the dissect_xtp_ecntl function in epan/dissectors/packet-xtp.c in the XTP dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (loop or application crash) via a large value for a span length. Moderate CVE-2012-4288 SUSE bug 776083 SUSE Linux Enterprise Server 11 SP3 epan/dissectors/packet-afp.c in the AFP dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (loop and CPU consumption) via a large number of ACL entries. Moderate CVE-2012-4289 SUSE bug 776083 SUSE Linux Enterprise Server 11 SP3 The CTDB dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (loop and CPU consumption) via a malformed packet. Moderate CVE-2012-4290 SUSE bug 776083 SUSE Linux Enterprise Server 11 SP3 The CIP dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet. Moderate CVE-2012-4291 SUSE bug 776083 SUSE Linux Enterprise Server 11 SP3 The dissect_stun_message function in epan/dissectors/packet-stun.c in the STUN dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 does not properly interact with key-destruction behavior in a certain tree library, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2012-4292 SUSE bug 776083 SUSE Linux Enterprise Server 11 SP3 plugins/ethercat/packet-ecatmb.c in the EtherCAT Mailbox dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 does not properly handle certain integer fields, which allows remote attackers to cause a denial of service (application exit) via a malformed packet. Moderate CVE-2012-4293 SUSE bug 776083 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in epan/dissectors/packet-rtps2.c in the RTPS2 dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (CPU consumption) via a malformed packet. Moderate CVE-2012-4296 SUSE bug 776083 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application. Moderate CVE-2012-4398 SUSE bug 778463 SUSE bug 779488 SUSE Linux Enterprise Server 11 SP3 Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (icclib), as used in Ghostscript 9.06 and Argyll Color Management System, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PostScript or (2) PDF file with embedded images, which triggers a heap-based buffer overflow. NOTE: this issue is also described as an array index error. Moderate CVE-2012-4405 SUSE bug 726092 SUSE bug 774185 SUSE bug 779700 SUSE bug 939342 SUSE Linux Enterprise Server 11 SP3 The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information via the qemu monitor. NOTE: this might be a duplicate of CVE-2007-0998. Important CVE-2012-4411 SUSE bug 779212 SUSE bug 786516 SUSE bug 786518 SUSE bug 786519 SUSE bug 786520 SUSE bug 787163 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow. Moderate CVE-2012-4412 SUSE bug 779320 SUSE bug 848783 SUSE bug 882910 SUSE bug 920055 SUSE bug 920169 SUSE bug 920338 SUSE Linux Enterprise Server 11 SP3 The virNetServerProgramDispatchCall function in libvirt before 0.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and segmentation fault) via an RPC call with (1) an event as the RPC number or (2) an RPC number whose value is in a "gap" in the RPC dispatch table. Low CVE-2012-4423 SUSE bug 779212 SUSE bug 780432 SUSE bug 786516 SUSE bug 786518 SUSE bug 786519 SUSE bug 786520 SUSE bug 787163 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2012-4428 SUSE bug 778508 SUSE Linux Enterprise Server 11 SP3 org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. Moderate CVE-2012-4431 SUSE bug 793391 SUSE bug 794548 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF image using the PixarLog Compression format. Moderate CVE-2012-4447 SUSE bug 781995 SUSE bug 791607 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 openCryptoki before 2.4.1, when using spinlocks, allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) .pkapi_xpk or (2) .pkcs11spinloc file in /tmp. Moderate CVE-2012-4454 SUSE bug 779211 SUSE Linux Enterprise Server 11 SP3 openCryptoki 2.4.1 allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) LCK..opencryptoki or (2) LCK..opencryptoki_stdll file in /var/lock/. Moderate CVE-2012-4455 SUSE bug 779211 SUSE Linux Enterprise Server 11 SP3 The KVM subsystem in the Linux kernel before 3.6.9, when running on hosts that use qemu userspace without XSAVE, allows local users to cause a denial of service (kernel OOPS) by using the KVM_SET_SREGS ioctl to set the X86_CR4_OSXSAVE bit in the guest cr4 register, then calling the KVM_RUN ioctl. Moderate CVE-2012-4461 SUSE bug 653148 SUSE bug 787821 SUSE Linux Enterprise Server 11 SP3 Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005. Moderate CVE-2012-4466 SUSE bug 783525 SUSE bug 876588 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the px_pac_reload function in lib/pac.c in libproxy 0.2.x and 0.3.x allows remote servers to have an unspecified impact via a crafted Content-Length size in an HTTP response header for a proxy.pac file request, a different vulnerability than CVE-2012-4504. Moderate CVE-2012-4505 SUSE bug 784523 SUSE Linux Enterprise Server 11 SP3 cups-pk-helper before 0.2.3 does not properly wrap the (1) cupsGetFile and (2) cupsPutFile function calls, which allows user-assisted remote attackers to read or overwrite sensitive files using CUPS resources. Moderate CVE-2012-4510 SUSE bug 783488 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Important CVE-2012-4512 SUSE bug 787520 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA khtml/imload/scaledimageplane.h in Konqueror in KDE 4.7.3 allows remote attackers to cause a denial of service (crash) and possibly read memory via large canvas dimensions, which leads to an unexpected sign extension and a heap-based buffer over-read. Moderate CVE-2012-4513 SUSE bug 787520 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in khtml/rendering/render_replaced.cpp in Konqueror in KDE 4.7.3, when the context menu is shown, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by accessing an iframe when it is being updated. Moderate CVE-2012-4515 SUSE bug 787520 SUSE Linux Enterprise Server 11 SP3 The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data. Moderate CVE-2012-4528 SUSE bug 789393 SUSE bug 813190 SUSE Linux Enterprise Server 11 SP3 org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response. Moderate CVE-2012-4534 SUSE bug 794548 SUSE Linux Enterprise Server 11 SP3 Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an "inappropriate deadline." Moderate CVE-2012-4535 SUSE bug 779212 SUSE bug 786516 SUSE bug 786518 SUSE bug 786519 SUSE bug 786520 SUSE bug 787163 SUSE Linux Enterprise Server 11 SP3 The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in Xen 2.2 allows local guest OS administrators to cause a denial of service (Xen crash) via a crafted pirq value that triggers an out-of-bounds read. Moderate CVE-2012-4536 SUSE bug 779212 SUSE bug 786516 SUSE bug 786518 SUSE bug 786519 SUSE bug 786520 SUSE bug 787163 SUSE Linux Enterprise Server 11 SP3 Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka "Memory mapping failure DoS vulnerability." Moderate CVE-2012-4537 SUSE bug 779212 SUSE bug 786516 SUSE bug 786517 SUSE bug 786518 SUSE bug 786519 SUSE bug 786520 SUSE bug 787163 SUSE Linux Enterprise Server 11 SP3 The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not properly check the pagetable state when running on shadow pagetables, which allows a local HVM guest OS to cause a denial of service (hypervisor crash) via unspecified vectors. Moderate CVE-2012-4538 SUSE bug 779212 SUSE bug 786516 SUSE bug 786518 SUSE bug 786519 SUSE bug 786520 SUSE bug 787163 SUSE Linux Enterprise Server 11 SP3 Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hypervisors, allows local guest OS administrators to cause a denial of service (infinite loop and hang or crash) via invalid arguments to GNTTABOP_get_status_frames, aka "Grant table hypercall infinite loop DoS vulnerability." Moderate CVE-2012-4539 SUSE bug 779212 SUSE bug 786516 SUSE bug 786518 SUSE bug 786519 SUSE bug 786520 SUSE bug 787163 SUSE Linux Enterprise Server 11 SP3 The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk. Moderate CVE-2012-4544 SUSE bug 779212 SUSE bug 786516 SUSE bug 786518 SUSE bug 786519 SUSE bug 786520 SUSE bug 787163 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request. Low CVE-2012-4557 SUSE bug 788121 SUSE Linux Enterprise Server 11 SP3 Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string. Moderate CVE-2012-4558 SUSE bug 806458 SUSE bug 807152 SUSE bug 807511 SUSE Linux Enterprise Server 11 SP3 ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow. Moderate CVE-2012-4564 SUSE bug 781995 SUSE bug 787892 SUSE bug 791607 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class. Important CVE-2012-4681 SUSE bug 777499 SUSE bug 778629 SUSE bug 780897 SUSE bug 785433 SUSE bug 785814 SUSE bug 798324 SUSE Linux Enterprise Server 11 SP3 The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. Moderate CVE-2012-4929 SUSE bug 1011293 SUSE bug 779952 SUSE bug 793420 SUSE bug 803004 SUSE bug 847895 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Deployment. Moderate CVE-2012-5067 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Moderate CVE-2012-5068 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Concurrency. Moderate CVE-2012-5069 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, related to JMX. Moderate CVE-2012-5070 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality and integrity, related to JMX. Moderate CVE-2012-5071 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality via unknown vectors related to Security. Moderate CVE-2012-5072 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries, a different vulnerability than CVE-2012-5079. Moderate CVE-2012-5073 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality and integrity, related to JAX-WS. Moderate CVE-2012-5074 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, related to JMX. Moderate CVE-2012-5075 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS. Important CVE-2012-5076 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Security. Low CVE-2012-5077 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries, a different vulnerability than CVE-2012-5073. Moderate CVE-2012-5079 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE. Moderate CVE-2012-5081 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, 1.4.2_38 and earlier, and JavaFX 2.2 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2012-5083 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Swing. Moderate CVE-2012-5084 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. Important CVE-2012-5086 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. Important CVE-2012-5087 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Important CVE-2012-5088 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JMX, a different vulnerability than CVE-2012-3143. Moderate CVE-2012-5089 SUSE bug 785433 SUSE bug 785814 SUSE bug 788750 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document. Moderate CVE-2012-5134 SUSE bug 1123919 SUSE bug 791234 SUSE bug 793334 SUSE bug 795039 SUSE bug 804033 SUSE Linux Enterprise Server 11 SP3 ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows remote attackers to cause a denial of service (named daemon hang) via unspecified combinations of resource records. Moderate CVE-2012-5166 SUSE bug 784602 SUSE bug 792926 SUSE Linux Enterprise Server 11 SP3 Xen 4.x, when downgrading the grant table version, does not properly remove the status page from the tracking list when freeing the page, which allows local guest OS administrators to cause a denial of service (hypervisor crash) via unspecified vectors. Moderate CVE-2012-5510 SUSE bug 789945 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image. Moderate CVE-2012-5511 SUSE bug 789944 SUSE Linux Enterprise Server 11 SP3 The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range. Important CVE-2012-5513 SUSE bug 789951 SUSE Linux Enterprise Server 11 SP3 The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the subject GFNs when checking if they are in use, which allows local guest HVM administrators to cause a denial of service (hang) via unspecified vectors. Moderate CVE-2012-5514 SUSE bug 789948 SUSE bug 789988 SUSE Linux Enterprise Server 11 SP3 The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow local guest administrators to cause a denial of service (long loop and hang) via a crafted extent_order value. Moderate CVE-2012-5515 SUSE bug 789950 SUSE Linux Enterprise Server 11 SP3 The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator. Moderate CVE-2012-5517 SUSE bug 653148 SUSE bug 789235 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface. Important CVE-2012-5519 SUSE bug 789566 SUSE bug 882905 SUSE bug 924208 SUSE Linux Enterprise Server 11 SP3 The get_page_from_gfn hypercall function in Xen 4.2 allows local PV guest OS administrators to cause a denial of service (crash) via a crafted GFN that triggers a buffer over-read. Moderate CVE-2012-5525 SUSE bug 789952 SUSE Linux Enterprise Server 11 SP3 CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm. Low CVE-2012-5526 SUSE bug 789994 SUSE Linux Enterprise Server 11 SP3 The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669. Low CVE-2012-5532 SUSE bug 791605 SUSE Linux Enterprise Server 11 SP3 Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. Moderate CVE-2012-5568 SUSE bug 791426 SUSE bug 791679 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DOTRANGE tag in a TIFF image. Moderate CVE-2012-5581 SUSE bug 791607 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6052. Reason: This candidate is a reservation duplicate of CVE-2012-6052. Notes: All CVE users should reference CVE-2012-6052 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5592 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6053. Reason: This candidate is a reservation duplicate of CVE-2012-6053. Notes: All CVE users should reference CVE-2012-6053 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5593 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6054. Reason: This candidate is a reservation duplicate of CVE-2012-6054. Notes: All CVE users should reference CVE-2012-6054 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5594 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6056. Reason: This candidate is a reservation duplicate of CVE-2012-6056. Notes: All CVE users should reference CVE-2012-6056 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5595 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6057. Reason: This candidate is a reservation duplicate of CVE-2012-6057. Notes: All CVE users should reference CVE-2012-6057 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5596 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6059. Reason: This candidate is a reservation duplicate of CVE-2012-6059. Notes: All CVE users should reference CVE-2012-6059 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5597 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6060. Reason: This candidate is a reservation duplicate of CVE-2012-6060. Notes: All CVE users should reference CVE-2012-6060 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5598 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6061. Reason: This candidate is a reservation duplicate of CVE-2012-6061. Notes: All CVE users should reference CVE-2012-6061 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5599 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6062. Reason: This candidate is a reservation duplicate of CVE-2012-6062. Notes: All CVE users should reference CVE-2012-6062 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5600 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6055. Reason: This candidate is a reservation duplicate of CVE-2012-6055. Notes: All CVE users should reference CVE-2012-6055 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5601 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6058. Reason: This candidate is a reservation duplicate of CVE-2012-6058. Notes: All CVE users should reference CVE-2012-6058 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2012-5602 SUSE bug 792005 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the acl_get function in Oracle MySQL 5.5.19 and other versions through 5.5.28, and 5.1.53 and other versions through 5.1.66, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command. Moderate CVE-2012-5611 SUSE bug 792362 SUSE bug 792444 SUSE bug 798753 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames. Moderate CVE-2012-5615 SUSE bug 792440 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 Xen 4.2.x, 4.1.x, and 4.0, when using Intel VT-d for PCI passthrough, does not properly configure VT-d when supporting a device that is behind a legacy PCI Bridge, which allows local guests to cause a denial of service to other guests by injecting an interrupt. Moderate CVE-2012-5634 SUSE bug 794316 SUSE bug 800275 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials. Moderate CVE-2012-5643 SUSE bug 794954 SUSE bug 796999 SUSE Linux Enterprise Server 11 SP3 x3270 before 3.3.12ga12 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Moderate CVE-2012-5662 SUSE bug 807424 SUSE Linux Enterprise Server 11 SP3 FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an "allocation error" in the bdf_free_font function. Moderate CVE-2012-5668 SUSE bug 795826 SUSE Linux Enterprise Server 11 SP3 The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read. Moderate CVE-2012-5669 SUSE bug 795826 SUSE Linux Enterprise Server 11 SP3 The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value. Moderate CVE-2012-5670 SUSE bug 795826 SUSE Linux Enterprise Server 11 SP3 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Moderate CVE-2012-5783 SUSE bug 1132354 SUSE bug 803332 SUSE bug 803333 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Moderate CVE-2012-5784 SUSE bug 1134598 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the nsWindow::OnExposeEvent function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code via unspecified vectors. Moderate CVE-2012-5829 SUSE bug 790140 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 on Mac OS X allows remote attackers to execute arbitrary code via an HTML document. Moderate CVE-2012-5830 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 The texImage2D implementation in the WebGL subsystem in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 does not properly interact with Mesa drivers, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via function calls involving certain values of the level parameter. Critical CVE-2012-5833 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the WebGL subsystem in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (invalid write operation) via crafted data. Critical CVE-2012-5835 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 The copyTexImage2D implementation in the WebGL subsystem in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via large image dimensions. Important CVE-2012-5838 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the gfxShapedWord::CompressedGlyph::IsClusterStart function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code via unspecified vectors. Critical CVE-2012-5839 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsTextEditorState::PrepareEditor function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-4214. Critical CVE-2012-5840 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 implement cross-origin wrappers with a filtering behavior that does not properly restrict write actions, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. Moderate CVE-2012-5841 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2012-5842 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2012-5843 SUSE bug 790140 SUSE Linux Enterprise Server 11 SP3 The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184. Moderate CVE-2012-5885 SUSE bug 791423 SUSE Linux Enterprise Server 11 SP3 The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID. Moderate CVE-2012-5886 SUSE bug 791424 SUSE Linux Enterprise Server 11 SP3 The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests. Moderate CVE-2012-5887 SUSE bug 791426 SUSE bug 822177 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet. Moderate CVE-2012-6075 SUSE bug 797523 SUSE bug 800275 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet. Moderate CVE-2012-6085 SUSE bug 798465 SUSE bug 880249 SUSE Linux Enterprise Server 11 SP3 The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate. Moderate CVE-2012-6093 SUSE bug 797006 SUSE bug 802634 SUSE Linux Enterprise Server 11 SP3 Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable. Moderate CVE-2012-6096 SUSE bug 797237 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA libxslt before 1.1.28 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an (1) empty match attribute in a XSL key to the xsltAddKey function in keys.c or (2) uninitialized variable to the xsltDocumentFunction function in functions.c. Moderate CVE-2012-6139 SUSE bug 811686 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator's pam_winbind configuration-file mistake. Low CVE-2012-6150 SUSE bug 844720 SUSE bug 853347 SUSE Linux Enterprise Server 11 SP3 The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6. Moderate CVE-2012-6329 SUSE bug 797060 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allows context-dependent attackers to cause a denial of service (out-of-bounds read) via a multibyte character value of "0xffff" to the iconv function when converting IBM930 encoded data to UTF-8. Moderate CVE-2012-6656 SUSE bug 894556 SUSE bug 903057 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bounds write) via a crafted response. Important CVE-2012-6698 SUSE bug 955762 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bounds read) via a crafted response. Important CVE-2012-6699 SUSE bug 955762 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP servers to cause a denial of service via a crafted response. Important CVE-2012-6700 SUSE bug 955762 SUSE Linux Enterprise Server 11 SP3-TERADATA Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. Moderate CVE-2012-6702 SUSE bug 983215 SUSE bug 983216 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option. Moderate CVE-2012-6704 SUSE bug 1013531 SUSE bug 1013542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos]. Important CVE-2012-6706 SUSE bug 1045315 SUSE bug 1045490 SUSE bug 1051712 SUSE bug 1053919 SUSE bug 1083915 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The OSPF implementation in Cisco IOS 12.0 through 12.4 and 15.0 through 15.3, IOS-XE 2.x through 3.9.xS, ASA and PIX 7.x through 9.1, FWSM, NX-OS, and StarOS before 14.0.50488 does not properly validate Link State Advertisement (LSA) type 1 packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a (1) unicast or (2) multicast packet, aka Bug IDs CSCug34485, CSCug34469, CSCug39762, CSCug63304, and CSCug39795. Moderate CVE-2013-0149 SUSE bug 822572 SUSE Linux Enterprise Server 11 SP3 The do_hvm_op function in xen/arch/x86/hvm/hvm.c in Xen 4.2.x on the x86_32 platform does not prevent HVM_PARAM_NESTEDHVM (aka nested virtualization) operations, which allows guest OS users to cause a denial of service (long-duration page mappings and host OS crash) by leveraging administrative access to an HVM guest in a domain with a large number of VCPUs. Moderate CVE-2013-0151 SUSE bug 797285 SUSE Linux Enterprise Server 11 SP3 Memory leak in Xen 4.2 and unstable allows local HVM guests to cause a denial of service (host memory consumption) by performing nested virtualization in a way that triggers errors that are not properly handled. Moderate CVE-2013-0152 SUSE bug 797287 SUSE bug 800798 SUSE Linux Enterprise Server 11 SP3 The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt remapping table for the host and all guests, which allows guests to cause a denial of service by injecting an interrupt into other guests. Moderate CVE-2013-0153 SUSE bug 800275 SUSE bug 800802 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. Low CVE-2013-0160 SUSE bug 797175 SUSE bug 841063 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. Moderate CVE-2013-0166 SUSE bug 802648 SUSE bug 802746 SUSE bug 813366 SUSE bug 821818 SUSE bug 833408 SUSE bug 905106 SUSE bug 911906 SUSE Linux Enterprise Server 11 SP3 The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Critical CVE-2013-0169 SUSE bug 1070148 SUSE bug 1103036 SUSE bug 1103597 SUSE bug 802184 SUSE bug 802648 SUSE bug 802746 SUSE bug 803379 SUSE bug 804654 SUSE bug 809839 SUSE bug 813366 SUSE bug 813939 SUSE bug 821818 SUSE bug 905106 SUSE bug 977584 SUSE bug 977616 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-0189, CVE-2013-0191. Reason: this identifier was intended for one issue, but it was inadvertently associated with multiple issues. Notes: All CVE users should consult CVE-2013-0189 and CVE-2013-0191 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2013-0188 SUSE bug 794954 SUSE bug 796999 SUSE Linux Enterprise Server 11 SP3 cachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and other versions, allows remote attackers to cause a denial of service (resource consumption) via a crafted request. NOTE: this issue is due to an incorrect fix for CVE-2012-5643, possibly involving an incorrect order of arguments or incorrect comparison. Moderate CVE-2013-0189 SUSE bug 794954 SUSE bug 796999 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/hpcupsfilterc_#.bmp, (2) /tmp/hpcupsfilterk_#.bmp, (3) /tmp/hpcups_job#.out, (4) /tmp/hpijs_#####.out, or (5) /tmp/hpps_job#.out temporary file, a different vulnerability than CVE-2011-2722. Low CVE-2013-0200 SUSE bug 808355 SUSE bug 836937 SUSE bug 852368 SUSE Linux Enterprise Server 11 SP3 The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct clickjacking attacks via a (1) FRAME or (2) IFRAME element. Moderate CVE-2013-0213 SUSE bug 799641 SUSE bug 800982 SUSE bug 880220 SUSE Linux Enterprise Server 11 SP3 Cross-site request forgery (CSRF) vulnerability in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to hijack the authentication of arbitrary users by leveraging knowledge of a password and composing requests that perform SWAT actions. Moderate CVE-2013-0214 SUSE bug 799641 SUSE bug 880220 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. Moderate CVE-2013-0216 SUSE bug 800280 SUSE bug 800801 SUSE bug 801178 SUSE bug 841063 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 System Security Services Daemon (SSSD) before 1.9.4, when (1) creating, (2) copying, or (3) removing a user home directory tree, allows local users to create, modify, or delete arbitrary files via a symlink attack on another user's files. Moderate CVE-2013-0219 SUSE bug 801036 SUSE Linux Enterprise Server 11 SP3 The (1) sss_autofs_cmd_getautomntent and (2) sss_autofs_cmd_getautomntbyname function in responder/autofs/autofssrv_cmd.c and the (3) ssh_cmd_parse_request function in responder/ssh/sshsrv_cmd.c in System Security Services Daemon (SSSD) before 1.9.4 allow remote attackers to cause a denial of service (out-of-bounds read, crash, and restart) via a crafted SSSD packet. CVE-2013-0220 SUSE bug 801036 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SUSE coreutils-i18n.patch for GNU coreutils allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string to the sort command, when using the (1) -d or (2) -M switch, which triggers a stack-based buffer overflow in the alloca function. Moderate CVE-2013-0221 SUSE bug 798538 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SUSE coreutils-i18n.patch for GNU coreutils allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string to the uniq command, which triggers a stack-based buffer overflow in the alloca function. Moderate CVE-2013-0222 SUSE bug 796243 SUSE bug 798538 SUSE bug 798541 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SUSE coreutils-i18n.patch for GNU coreutils allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string to the join command, when using the -i switch, which triggers a stack-based buffer overflow in the alloca function. Moderate CVE-2013-0223 SUSE bug 798538 SUSE bug 798541 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information. Moderate CVE-2013-0231 SUSE bug 801178 SUSE bug 841063 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters. Moderate CVE-2013-0242 SUSE bug 801246 SUSE bug 848783 SUSE bug 882910 SUSE Linux Enterprise Server 11 SP3 The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server. Moderate CVE-2013-0254 SUSE bug 802634 SUSE Linux Enterprise Server 11 SP3 PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read. Moderate CVE-2013-0255 SUSE bug 802679 SUSE bug 803057 SUSE Linux Enterprise Server 11 SP3 The Simple Access Provider in System Security Services Daemon (SSSD) 1.9.0 through 1.9.4, when the Active Directory provider is used, does not properly enforce the simple_deny_groups option, which allows remote authenticated users to bypass intended access restrictions. Moderate CVE-2013-0287 SUSE bug 809153 SUSE Linux Enterprise Server 11 SP3 libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. Moderate CVE-2013-0338 SUSE bug 1123919 SUSE bug 805233 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Important CVE-2013-0351 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions. Important CVE-2013-0401 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38 allows remote attackers to affect confidentiality via vectors related to JMX. Important CVE-2013-0409 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Important CVE-2013-0419 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue. Moderate CVE-2013-0422 SUSE bug 798324 SUSE bug 798521 SUSE bug 798535 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Important CVE-2013-0423 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via vectors related to RMI. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to cross-site scripting (XSS) in the sun.rmi.transport.proxy CGIHandler class that does not properly handle error messages in a (1) command or (2) port number. Moderate CVE-2013-0424 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0428 and CVE-2013-0426. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect "access control checks" in the logging API that allow remote attackers to bypass Java sandbox restrictions. Important CVE-2013-0425 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0428. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect "access control checks" in the logging API that allow remote attackers to bypass Java sandbox restrictions. Important CVE-2013-0426 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect integrity via unknown vectors related to Libraries. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to interrupt certain threads that should not be interrupted. Important CVE-2013-0427 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0426. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "incorrect checks for proxy classes" in the Reflection API. Important CVE-2013-0428 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490. Important CVE-2013-0431 SUSE bug 798535 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality and integrity via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient clipboard access premission checks." Important CVE-2013-0432 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect integrity via unknown vectors related to Networking. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to avoid triggering an exception during the deserialization of invalid InetSocketAddress data. Important CVE-2013-0433 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality via vectors related to JAXP. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to the public declaration of the loadPropertyFile method in the JAXP FuncSystemProperty class, which allows remote attackers to obtain sensitive information. Important CVE-2013-0434 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality via vectors related to JAX-WS. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper restriction of com.sun.xml.internal packages and "Better handling of UI elements." Important CVE-2013-0435 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2013-0437 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality via unknown vectors related to Deployment. Important CVE-2013-0438 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 7, allows remote attackers to affect availability via vectors related to JSSE. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to CPU consumption in the SSL/TLS implementation via a large number of ClientHello packets that are not properly handled by (1) ClientHandshaker.java and (2) ServerHandshaker.java. Important CVE-2013-0440 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2013-1476 and CVE-2013-1475. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass Java sandbox restrictions via certain methods that should not be serialized, aka "missing serialization restriction." Important CVE-2013-0441 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an improper check of "privileges of the code" that bypasses the sandbox. Important CVE-2013-0442 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect validation of Diffie-Hellman keys, which allows remote attackers to conduct a "small subgroup attack" to force the use of weak session keys or obtain sensitive information about the private key. Important CVE-2013-0443 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient checks for cached results" by the Java Beans MethodFinder, which might allow attackers to access methods that should only be accessible to privileged code. Important CVE-2013-0444 SUSE bug 798535 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an improper check of "privileges of the code" that bypasses the sandbox. Important CVE-2013-0445 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Important CVE-2013-0446 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 allows remote attackers to affect confidentiality via unknown vectors related to Deployment. Important CVE-2013-0449 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper checks of "access control context" in the JMX RequiredModelMBean class. Important CVE-2013-0450 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 The SMB2 implementation in Samba 3.6.x before 3.6.6, as used on the IBM Storwize V7000 Unified 1.3 before 1.3.2.3 and 1.4 before 1.4.0.1 and possibly other products, does not properly enforce CIFS share attributes, which allows remote authenticated users to (1) write to a read-only share; (2) trigger data-integrity problems related to the oplock, locking, coherency, or leases attribute; or (3) have an unspecified impact by leveraging incorrect handling of the browseable or "hide unreadable" parameter. Low CVE-2013-0454 SUSE bug 811975 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in IBM Java SDK 7 before SR4-FP1, 6 before SR13-FP1, 5.0 before SR16-FP1, and 1.4.2 before SR13-FP16 has unknown impact and attack vectors related to Class Libraries. Critical CVE-2013-0485 SUSE bug 813939 SUSE Linux Enterprise Server 11 SP3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA at the suggestion of the CVE project team. The candidate had been associated with a correct report of a security problem, but not a problem that is categorized as a vulnerability within CVE. Compromised or unauthorized SSL certificates are not within CVE's scope. Notes: none. Moderate CVE-2013-0743 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the TableBackgroundPainter::TableBackgroundData::Destroy function in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an HTML document with a table containing many columns and column groups. Important CVE-2013-0744 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 The AutoWrapperChanger class in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not properly interact with garbage collection, which allows remote attackers to execute arbitrary code via a crafted HTML document referencing JavaScript objects. Important CVE-2013-0745 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 do not properly implement quickstubs that use the jsval data type for their return values, which allows remote attackers to execute arbitrary code or cause a denial of service (compartment mismatch and application crash) via crafted JavaScript code that is not properly handled during garbage collection. Important CVE-2013-0746 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 The gPluginHandler.handleEvent function in the plugin handler in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not properly enforce the Same Origin Policy, which allows remote attackers to conduct clickjacking attacks via crafted JavaScript code that listens for a mutation event. Moderate CVE-2013-0747 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 The XBL.__proto__.toString implementation in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 makes it easier for remote attackers to bypass the ASLR protection mechanism by calling the toString function of an XBL object. Moderate CVE-2013-0748 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.1, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.1, and SeaMonkey before 2.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2013-0749 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Integer overflow in the JavaScript implementation in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via a crafted string concatenation, leading to improper memory allocation and a heap-based buffer overflow. Important CVE-2013-0750 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XBL file with multiple bindings that have SVG content. Important CVE-2013-0752 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via crafted web content. Important CVE-2013-0753 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the ListenerManager implementation in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via vectors involving the triggering of garbage collection after memory allocation for listener objects. Important CVE-2013-0754 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the mozVibrate implementation in the Vibrate library in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via vectors related to the domDoc pointer. Important CVE-2013-0755 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the obj_toSource function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via a crafted web page referencing JavaScript Proxy objects that are not properly handled during garbage collection. Important CVE-2013-0756 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not prevent modifications to the prototype of an object, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by referencing Object.prototype.__proto__ in a crafted HTML document. Important CVE-2013-0757 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allow remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging improper interaction between plugin objects and SVG elements. Important CVE-2013-0758 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the CharDistributionAnalysis::HandleOneChar function in Mozilla Firefox before 18.0, Thunderbird before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via a crafted document. Important CVE-2013-0760 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the mozilla::TrackUnionStream::EndTrack implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.1, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.1, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2013-0761 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the imgRequest::OnStopFrame function in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.1, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.1, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Important CVE-2013-0762 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.1, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.1, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to Mesa drivers and a resized WebGL canvas. Critical CVE-2013-0763 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not ensure thread safety for SSL sessions, which allows remote attackers to execute arbitrary code via crafted data, as demonstrated by e-mail message data. Moderate CVE-2013-0764 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the ~nsHTMLEditRules implementation in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.1, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.1, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2013-0766 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 The nsSVGPathElement::GetPathLengthScale function in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.1, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.1, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. Critical CVE-2013-0767 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the Canvas implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via an HTML document that specifies invalid width and height values. Important CVE-2013-0768 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.1, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.1, and SeaMonkey before 2.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2013-0769 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 18.0, Thunderbird before 17.0.2, and SeaMonkey before 2.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2013-0770 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the gfxTextRun::ShrinkToLigatureBoundaries function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.1, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.1, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via a crafted document. Critical CVE-2013-0771 SUSE bug 796895 SUSE Linux Enterprise Server 11 SP3 The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a prototype, which allows remote attackers to obtain sensitive information from chrome objects or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site. Moderate CVE-2013-0773 SUSE bug 804248 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent JavaScript workers from reading the browser-profile directory name, which has unspecified impact and remote attack vectors. Important CVE-2013-0774 SUSE bug 804248 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsImageLoadingContent::OnStopContainer function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via crafted web script. Important CVE-2013-0775 SUSE bug 804248 SUSE Linux Enterprise Server 11 SP3 Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow man-in-the-middle attackers to spoof the address bar by operating a proxy server that provides a 407 HTTP status code accompanied by web script, as demonstrated by a phishing attack on an HTTPS site. Moderate CVE-2013-0776 SUSE bug 804248 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsOverflowContinuationTracker::Finish function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted document that uses Cascading Style Sheets (CSS) -moz-column-* properties. Important CVE-2013-0780 SUSE bug 804248 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the nsSaveAsCharset::DoCharsetConversion function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via unspecified vectors. Critical CVE-2013-0782 SUSE bug 804248 SUSE Linux Enterprise Server 11 SP3 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2013-0783 SUSE bug 804248 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the nsEditor::IsPreformatted function in editor/libeditor/base/nsEditor.cpp in Mozilla Firefox before 19.0.2, Firefox ESR 17.x before 17.0.4, Thunderbird before 17.0.4, Thunderbird ESR 17.x before 17.0.4, and SeaMonkey before 2.16.1 allows remote attackers to execute arbitrary code via vectors involving an execCommand call. Important CVE-2013-0787 SUSE bug 808243 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the 2D component in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2013-1493. Moderate CVE-2013-0809 SUSE bug 806786 SUSE bug 807487 SUSE bug 809386 SUSE bug 813939 SUSE Linux Enterprise Server 11 SP3 Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. Important CVE-2013-0871 SUSE bug 653148 SUSE bug 804154 SUSE bug 804227 SUSE bug 841063 SUSE Linux Enterprise Server 11 SP3 Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel through 3.8.3, as used in Google Chrome OS before 25.0.1364.173 and other products, allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted application that triggers many relocation copies, and potentially leads to a race condition. Moderate CVE-2013-0913 SUSE bug 808829 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation. Important CVE-2013-1059 SUSE bug 826350 SUSE bug 882913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash. Important CVE-2013-1362 SUSE bug 807241 SUSE Linux Enterprise Server 11 SP3 The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request. Moderate CVE-2013-1415 SUSE bug 806715 SUSE Linux Enterprise Server 11 SP3-TERADATA The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request. Moderate CVE-2013-1416 SUSE bug 770172 SUSE bug 816413 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The setup_server_realm function in main.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.7, when multiple realms are configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request. Moderate CVE-2013-1418 SUSE bug 849240 SUSE bug 866059 SUSE bug 879587 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not properly maintain references on pages stored for deferred cleanup, which allows local PV guest kernels to cause a denial of service (premature page free and hypervisor crash) or possibly gain privileges via unspecified vectors. Moderate CVE-2013-1432 SUSE bug 823011 SUSE bug 826882 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. Moderate CVE-2013-1442 SUSE bug 839596 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect integrity via unknown vectors related to Deployment. Important CVE-2013-1473 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2013-0441 and CVE-2013-1475. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass Java sandbox restrictions via "certain value handler constructors." Important CVE-2013-1476 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient validation of raster parameters" that can trigger an integer overflow and memory corruption. Important CVE-2013-1478 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient validation of raster parameters" in awt_parseImage.c, which triggers memory corruption. Important CVE-2013-1480 SUSE bug 798535 SUSE bug 801972 SUSE bug 803379 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. Important CVE-2013-1481 SUSE bug 798535 SUSE bug 806786 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Important CVE-2013-1484 SUSE bug 798535 SUSE bug 803379 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries. Moderate CVE-2013-1485 SUSE bug 798535 SUSE bug 803379 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier, 6 Update 39 and earlier, and 5.0 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. Important CVE-2013-1486 SUSE bug 798535 SUSE bug 803379 SUSE bug 804654 SUSE Linux Enterprise Server 11 SP3 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE 7 Update 13 and earlier and 6 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Important CVE-2013-1487 SUSE bug 798535 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via vectors related to 2D, as demonstrated by Joshua Drake during a Pwn2Own competition at CanSecWest 2013. Important CVE-2013-1491 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February 2013. Moderate CVE-2013-1493 SUSE bug 806786 SUSE bug 807487 SUSE bug 809386 SUSE bug 813939 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows local users to affect confidentiality and integrity via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to weak permissions for shared memory. Important CVE-2013-1500 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to the default java.rmi.server.useCodebaseOnly setting of false, which allows remote attackers to perform "dynamic class downloading" and execute arbitrary code. Important CVE-2013-1537 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2433. Moderate CVE-2013-1540 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "missing security restrictions" in the LogStream.setDefaultStream method. Important CVE-2013-1557 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install. Moderate CVE-2013-1563 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "checking of [a] glyph table" in the International Components for Unicode (ICU) Layout Engine before 51.2. Important CVE-2013-1569 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE bug 932310 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to frame injection in HTML that is generated by Javadoc. Moderate CVE-2013-1571 SUSE bug 824397 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 The dissect_oampdu_event_notification function in epan/dissectors/packet-slowprotocols.c in the IEEE 802.3 Slow Protocols dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle certain short lengths, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-1572 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The csnStreamDissector function in epan/dissectors/packet-csn1.c in the CSN.1 dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle a large number of padding bits, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-1573 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_bthci_eir_ad_data function in epan/dissectors/packet-bthci_cmd.c in the Bluetooth HCI dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 uses an incorrect data type for a counter variable, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-1574 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_r3_cmd_alarmconfigure function in epan/dissectors/packet-assa_r3.c in the R3 dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle a certain alarm length, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-1575 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_sdp_media_attribute function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly process crypto-suite parameters, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-1576 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_sip_p_charging_func_addresses function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle offset data associated with a quoted string, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-1577 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_pw_eth_heuristic function in epan/dissectors/packet-pw-eth.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle apparent Ethernet address values at the beginning of MPLS data, which allows remote attackers to cause a denial of service (loop) via a malformed packet. Moderate CVE-2013-1578 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The rtps_util_add_bitmap function in epan/dissectors/packet-rtps.c in the RTPS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly implement certain nested loops for processing bitmap data, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-1579 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_cmstatus_tlv function in plugins/docsis/packet-cmstatus.c in the DOCSIS CM-STATUS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 uses an incorrect data type for a position variable, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-1580 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_pft_fec_detailed function in epan/dissectors/packet-dcp-etsi.c in the DCP-ETSI dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle fragment gaps, which allows remote attackers to cause a denial of service (loop) via a malformed packet. Moderate CVE-2013-1581 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_clnp function in epan/dissectors/packet-clnp.c in the CLNP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly manage an offset variable, which allows remote attackers to cause a denial of service (infinite loop or application crash) via a malformed packet. Moderate CVE-2013-1582 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_version_4_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-1583 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_version_5_and_6_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-1584 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 epan/tvbuff.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly validate certain length values for the MS-MMC dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-1585 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The fragment_set_tot_len function in epan/reassemble.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly determine the length of a reassembled packet for the DTLS dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-1586 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 The dissect_rohc_ir_packet function in epan/dissectors/packet-rohc.c in the ROHC dissector in Wireshark 1.8.x before 1.8.5 does not properly handle unknown profiles, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-1587 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 Multiple buffer overflows in the dissect_pft_fec_detailed function in the DCP-ETSI dissector in epan/dissectors/packet-dcp-etsi.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allow remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-1588 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in epan/proto.c in the dissection engine in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-1589 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the NTLMSSP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-1590 SUSE bug 801131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in libpixman, as used in Pale Moon before 15.4 and possibly other products, has unspecified impact and context-dependent attack vectors. NOTE: this issue might be resultant from an integer overflow in the fast_composite_scaled_bilinear function in pixman-inlines.h, which triggers an infinite loop. Moderate CVE-2013-1591 SUSE bug 815064 SUSE Linux Enterprise Server 11 SP3 The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. Moderate CVE-2013-1619 SUSE bug 802184 SUSE bug 802651 SUSE bug 957568 SUSE Linux Enterprise Server 11 SP3 ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. Moderate CVE-2013-1635 SUSE bug 807707 SUSE Linux Enterprise Server 11 SP3 The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824. Moderate CVE-2013-1643 SUSE bug 807707 SUSE Linux Enterprise Server 11 SP3 The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key. Moderate CVE-2013-1667 SUSE bug 804415 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2013-1682 SUSE bug 825935 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the mozilla::dom::HTMLMediaElement::LookupMediaElementURITable function in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted web site. Important CVE-2013-1684 SUSE bug 825935 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsIDocument::GetRootElement function in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted web site. Critical CVE-2013-1685 SUSE bug 825935 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the mozilla::ResetDir function in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Critical CVE-2013-1686 SUSE bug 825935 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly restrict XBL user-defined functions, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges, or conduct cross-site scripting (XSS) attacks, via a crafted web site. Important CVE-2013-1687 SUSE bug 825935 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location. Important CVE-2013-1690 SUSE bug 825935 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not prevent the inclusion of body data in an XMLHttpRequest HEAD request, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web site. Moderate CVE-2013-1692 SUSE bug 825935 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SVG filter implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to read pixel values, and possibly bypass the Same Origin Policy and read text from a different domain, by observing timing differences in execution of filter code. Moderate CVE-2013-1693 SUSE bug 825935 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that triggers use of a user-defined (1) toString or (2) valueOf method. Moderate CVE-2013-1697 SUSE bug 825935 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2013-1701 SUSE bug 833389 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2013-1702 SUSE bug 833389 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer underflow in the cryptojs_interpret_key_gen_type function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Certificate Request Message Format (CRMF) request. Important CVE-2013-1705 SUSE bug 833389 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in maintenanceservice.exe in the Mozilla Maintenance Service in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line. Important CVE-2013-1706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line to the Mozilla Maintenance Service. Important CVE-2013-1707 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. Moderate CVE-2013-1709 SUSE bug 833389 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. Important CVE-2013-1710 SUSE bug 833389 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple untrusted search path vulnerabilities in updater.exe in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 on Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 allow local users to gain privileges via a Trojan horse DLL in (1) the update directory or (2) the current working directory. Moderate CVE-2013-1712 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site. Moderate CVE-2013-1713 SUSE bug 833389 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors. Moderate CVE-2013-1714 SUSE bug 833389 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname. Moderate CVE-2013-1717 SUSE bug 833389 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2013-1718 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsAnimationManager::BuildAnimations function in the Animation Manager in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving stylesheet cloning. Important CVE-2013-1722 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not ensure that initialization occurs for JavaScript objects with compartments, which allows remote attackers to execute arbitrary code by leveraging incorrect scope handling. Moderate CVE-2013-1725 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Updater in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 does not ensure exclusive access to a MAR file, which allows local users to gain privileges by creating a Trojan horse file after MAR signature verification but before MAR use. Moderate CVE-2013-1726 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not properly handle movement of XBL-backed nodes between documents, which allows remote attackers to execute arbitrary code or cause a denial of service (JavaScript compartment mismatch, or assertion failure and application exit) via a crafted web site. Moderate CVE-2013-1730 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the nsFloatManager::GetFlowArea function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code via crafted use of lists and floats within a multi-column layout. Important CVE-2013-1732 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the mozilla::layout::ScrollbarActivity function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code via vectors related to image-document scrolling. Important CVE-2013-1735 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to improperly establishing parent-child relationships of range-request nodes. Important CVE-2013-1736 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not properly identify the "this" object during use of user-defined getter methods on DOM proxies, which might allow remote attackers to bypass intended access restrictions via vectors involving an expando object. Moderate CVE-2013-1737 SUSE bug 840485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. Moderate CVE-2013-1739 SUSE bug 842979 SUSE bug 847708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. Moderate CVE-2013-1741 SUSE bug 850148 SUSE Linux Enterprise Server 11 SP3 stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow. Important CVE-2013-1762 SUSE bug 807440 SUSE bug 807450 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. Moderate CVE-2013-1767 SUSE bug 806138 SUSE bug 807436 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter. Moderate CVE-2013-1774 SUSE bug 806976 SUSE bug 807455 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch. Moderate CVE-2013-1775 SUSE bug 806919 SUSE bug 806921 SUSE bug 815325 SUSE bug 845568 SUSE bug 854381 SUSE Linux Enterprise Server 11 SP3 sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. Low CVE-2013-1776 SUSE bug 806921 SUSE bug 817349 SUSE bug 817350 SUSE Linux Enterprise Server 11 SP3 poppler/Stream.cc in poppler before 0.22.1 allows context-dependent attackers to have an unspecified impact via vectors that trigger a read of uninitialized memory by the CCITTFaxStream::lookChar function. Moderate CVE-2013-1790 SUSE bug 806793 SUSE Linux Enterprise Server 11 SP3 The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 does not ensure a required time_page alignment during an MSR_KVM_SYSTEM_TIME operation, which allows guest OS users to cause a denial of service (buffer overflow and host OS memory corruption) or possibly have unspecified other impact via a crafted application. Moderate CVE-2013-1796 SUSE bug 0 SUSE bug 806980 SUSE bug 819789 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel through 3.8.4 allows guest OS users to cause a denial of service (host OS memory corruption) or possibly have unspecified other impact via a crafted application that triggers use of a guest physical address (GPA) in (1) movable or (2) removable memory during an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation. Moderate CVE-2013-1797 SUSE bug 0 SUSE bug 806980 SUSE bug 819789 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux kernel through 3.8.4 does not properly handle a certain combination of invalid IOAPIC_REG_SELECT and IOAPIC_REG_WINDOW operations, which allows guest OS users to obtain sensitive information from host OS memory or cause a denial of service (host OS OOPS) via a crafted application. Moderate CVE-2013-1798 SUSE bug 0 SUSE bug 806980 SUSE bug 819789 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel before 3.7.6 does not validate block numbers, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the ability to mount an XFS filesystem containing a metadata inode with an invalid extent map. Moderate CVE-2013-1819 SUSE bug 807471 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. Moderate CVE-2013-1821 SUSE bug 808137 SUSE bug 876588 SUSE Linux Enterprise Server 11 SP3 fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application. Moderate CVE-2013-1848 SUSE bug 809155 SUSE bug 871595 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote attackers to cause a denial of service (crash) via a crafted geometry feature that specifies a large number of points, which is not properly handled when processing the binary representation of this feature, related to a numeric calculation error. Moderate CVE-2013-1861 SUSE bug 809544 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. Moderate CVE-2013-1862 SUSE bug 829056 SUSE bug 829057 SUSE bug 834475 SUSE bug 844212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers to cause a denial of service (reachable assertion and crash) and possibly execute arbitrary code via vectors involving 3d graphics that trigger an out-of-bounds array access, related to the fs_visitor::remove_dead_constants function. NOTE: this issue might be related to CVE-2013-0796. Moderate CVE-2013-1872 SUSE bug 828007 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Moderate CVE-2013-1881 SUSE bug 840753 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-2561. Reason: This candidate is a duplicate of CVE-2013-2561. Notes: All CVE users should reference CVE-2013-2561 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2013-1894 SUSE bug 811660 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI. Moderate CVE-2013-1896 SUSE bug 829056 SUSE bug 829057 SUSE Linux Enterprise Server 11 SP3 Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen). Important CVE-2013-1899 SUSE bug 812525 SUSE Linux Enterprise Server 11 SP3 PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions." Important CVE-2013-1900 SUSE bug 812525 SUSE Linux Enterprise Server 11 SP3 PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions. Important CVE-2013-1901 SUSE bug 812525 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results. Moderate CVE-2013-1914 SUSE bug 813121 SUSE bug 826666 SUSE bug 882910 SUSE bug 920055 SUSE bug 937231 SUSE bug 941444 SUSE Linux Enterprise Server 11 SP3 ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability. Moderate CVE-2013-1915 SUSE bug 813190 SUSE Linux Enterprise Server 11 SP3 Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction. Moderate CVE-2013-1917 SUSE bug 813673 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to "deep page table traversal." Moderate CVE-2013-1918 SUSE bug 813673 SUSE bug 816159 SUSE bug 823011 SUSE bug 826882 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and cause a denial of service via vectors related to "passed-through IRQs or PCI devices." Moderate CVE-2013-1919 SUSE bug 813673 SUSE bug 813675 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory pressure" and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors. Moderate CVE-2013-1920 SUSE bug 813673 SUSE bug 813677 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004. Moderate CVE-2013-1922 SUSE bug 814059 SUSE bug 934753 SUSE bug 934768 SUSE Linux Enterprise Server 11 SP3 rpc-gssd in nfs-utils before 1.2.8 performs reverse DNS resolution for server names during GSSAPI authentication, which might allow remote attackers to read otherwise-restricted files via DNS spoofing attacks. Moderate CVE-2013-1923 SUSE bug 813464 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure. Moderate CVE-2013-1929 SUSE bug 813733 SUSE Linux Enterprise Server 11 SP3 X.Org X server before 1.13.4 and 1.4.x before 1.14.1 does not properly restrict access to input events when adding a new hot-plug device, which might allow physically proximate attackers to obtain sensitive information, as demonstrated by reading passwords from a tty. Low CVE-2013-1940 SUSE bug 814653 SUSE bug 815870 SUSE Linux Enterprise Server 11 SP3 The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. Important CVE-2013-1944 SUSE bug 814655 SUSE Linux Enterprise Server 11 SP3 Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which allows local guest domains to cause a denial of service (interrupt injection) via unspecified vectors. Moderate CVE-2013-1952 SUSE bug 813673 SUSE bug 816163 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the t2p_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file. Moderate CVE-2013-1960 SUSE bug 817573 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff before 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted image length and resolution in a TIFF image file. Moderate CVE-2013-1961 SUSE bug 817573 SUSE bug 818117 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 The remoteDispatchStoragePoolListAllVolumes function in the storage pool manager in libvirt 1.0.5 allows remote attackers to cause a denial of service (file descriptor consumption) via a large number of requests "to list all volumes for the particular pool." Moderate CVE-2013-1962 SUSE bug 820397 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) tomcat5, (2) tomcat6, and (3) tomcat7 init scripts, as used in the RPM distribution of Tomcat for JBoss Enterprise Web Server 1.0.2 and 2.0.0, and Red Hat Enterprise Linux 5 and 6, allow local users to change the ownership of arbitrary files via a symlink attack on (a) tomcat5-initd.log, (b) tomcat6-initd.log, (c) catalina.out, or (d) tomcat7-initd.log. Moderate CVE-2013-1976 SUSE bug 822177 SUSE bug 824284 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application. Moderate CVE-2013-1979 SUSE bug 816708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XQueryFont, (2) _XF86BigfontQueryFont, (3) XListFontsWithInfo, (4) XGetMotionEvents, (5) XListHosts, (6) XGetModifierMapping, (7) XGetPointerMapping, (8) XGetKeyboardMapping, (9) XGetWindowProperty, (10) XGetImage, (11) LoadColornameDB, (12) XrmGetFileDatabase, (13) _XimParseStringFile, or (14) TransFileName functions. Moderate CVE-2013-1981 SUSE bug 815451 SUSE bug 821664 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions. Moderate CVE-2013-1982 SUSE bug 815451 SUSE bug 821665 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in X.org libXfixes 5.0 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XFixesGetCursorImage function. Moderate CVE-2013-1983 SUSE bug 815451 SUSE bug 821667 SUSE bug 880221 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXi 1.7.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XGetDeviceControl, (2) XGetFeedbackControl, (3) XGetDeviceDontPropagateList, (4) XGetDeviceMotionEvents, (5) XIGetProperty, (6) XIGetSelectedEvents, (7) XGetDeviceProperties, and (8) XListInputDevices functions. Moderate CVE-2013-1984 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in X.org libXinerama 1.1.2 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XineramaQueryScreens function. Moderate CVE-2013-1985 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXrandr 1.4.0 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRRQueryOutputProperty and (2) XRRQueryProviderProperty functions. Moderate CVE-2013-1986 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXrender 0.9.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRenderQueryFilters, (2) XRenderQueryFormats, and (3) XRenderQueryPictIndexValues functions. Moderate CVE-2013-1987 SUSE bug 815451 SUSE bug 821669 SUSE bug 880221 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXRes 1.0.6 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XResQueryClients and (2) XResQueryClientResources functions. Moderate CVE-2013-1988 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXv 1.0.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XvQueryPortAttributes, (2) XvListImageFormats, and (3) XvCreateImage function. Moderate CVE-2013-1989 SUSE bug 815451 SUSE bug 821671 SUSE bug 880221 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXvMC 1.0.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XvMCListSurfaceTypes and (2) XvMCListSubpictureTypes functions. Moderate CVE-2013-1990 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXxf86dga 1.1.3 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XDGAQueryModes and (2) XDGASetMode functions. Moderate CVE-2013-1991 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libdmx 1.1.2 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) DMXGetScreenAttributes, (2) DMXGetWindowAttributes, and (3) DMXGetInputAttributes functions. Moderate CVE-2013-1992 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XF86DRIOpenConnection and (2) XF86DRIGetClientDriverName functions. Moderate CVE-2013-1993 SUSE bug 815451 SUSE bug 821855 SUSE bug 880221 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA X.org libXi 1.7.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to an unexpected sign extension in the XListInputDevices function. Moderate CVE-2013-1995 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA X.org libFS 1.0.4 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to an unexpected sign extension in the FSOpenServer function. Moderate CVE-2013-1996 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XAllocColorCells, (2) _XkbReadGetDeviceInfoReply, (3) _XkbReadGeomShapes, (4) _XkbReadGetGeometryReply, (5) _XkbReadKeySyms, (6) _XkbReadKeyActions, (7) _XkbReadKeyBehaviors, (8) _XkbReadModifierMap, (9) _XkbReadExplicitComponents, (10) _XkbReadVirtualModMap, (11) _XkbReadGetNamesReply, (12) _XkbReadGetMapReply, (13) _XimXGetReadData, (14) XListFonts, (15) XListExtensions, and (16) XGetFontPath functions. Moderate CVE-2013-1997 SUSE bug 815451 SUSE bug 821664 SUSE bug 824294 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in X.org libXi 1.7.1 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XGetDeviceButtonMapping, (2) XIPassiveGrabDevice, and (3) XQueryDeviceState functions. Moderate CVE-2013-1998 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in X.org libXvMC 1.0.7 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XvMCGetDRInfo function. Moderate CVE-2013-1999 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in X.org libXxf86dga 1.1.3 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XDGAQueryModes and (2) XDGASetMode functions. Moderate CVE-2013-2000 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in X.org libXxf86vm 1.1.2 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XF86VidModeGetGammaRamp function. Moderate CVE-2013-2001 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in X.org libXt 1.1.3 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the _XtResourceConfigurationEH function. Moderate CVE-2013-2002 SUSE bug 815451 SUSE bug 821670 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in X.org libXcursor 1.1.13 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the _XcursorFileHeaderCreate function. Moderate CVE-2013-2003 SUSE bug 1065386 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file. Low CVE-2013-2004 SUSE bug 815451 SUSE bug 821664 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA X.org libXt 1.1.3 and earlier does not check the return value of the XGetWindowProperty function, which allows X servers to trigger use of an uninitialized pointer and memory corruption via vectors related to the (1) ReqCleanup, (2) HandleSelectionEvents, (3) ReqTimedOut, (4) HandleNormal, and (5) HandleSelectionReplies functions. Moderate CVE-2013-2005 SUSE bug 815451 SUSE bug 821670 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files. Moderate CVE-2013-2007 SUSE bug 818181 SUSE bug 818182 SUSE bug 818183 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2013-2016 SUSE bug 817593 SUSE bug 871442 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the cli_scanpe function in pe.c in ClamAV before 0.97.8 allows remote attackers to cause a denial of service (crash) via a skewed offset larger than the size of the PE section in a UPX packed executable, which triggers an out-of-bounds read. Moderate CVE-2013-2020 SUSE bug 816865 SUSE bug 899395 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA pdf.c in ClamAV 0.97.1 through 0.97.7 allows remote attackers to cause a denial of service (out-of-bounds-read) via a crafted length value in an encrypted PDF file. Moderate CVE-2013-2021 SUSE bug 816865 SUSE bug 899395 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher. Moderate CVE-2013-2061 SUSE bug 843509 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXp 1.0.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XpGetAttributes, (2) XpGetOneAttribute, (3) XpGetPrinterList, and (4) XpQueryScreens functions. Moderate CVE-2013-2062 SUSE bug 815451 SUSE bug 821668 SUSE bug 880221 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XRecordGetContext function. Moderate CVE-2013-2063 SUSE bug 815451 SUSE bug 821663 SUSE Linux Enterprise Server 11 SP3 Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function. Important CVE-2013-2064 SUSE bug 815451 SUSE bug 821584 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in X.org libXv 1.0.7 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XvQueryPortAttributes function. Moderate CVE-2013-2066 SUSE bug 815451 SUSE bug 821671 SUSE bug 880221 SUSE Linux Enterprise Server 11 SP3 Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap. Moderate CVE-2013-2072 SUSE bug 813673 SUSE bug 819416 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. Important CVE-2013-2094 SUSE bug 819789 SUSE bug 820202 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169. Moderate CVE-2013-2116 SUSE bug 821818 SUSE Linux Enterprise Server 11 SP3 Double free vulnerability in inspect-fs.c in LibguestFS 1.20.x before 1.20.7, 1.21.x, 1.22.0, and 1.23.0 allows remote attackers to cause a denial of service (crash) via empty guest files. Moderate CVE-2013-2124 SUSE bug 828006 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8.9, when the Performance Events Subsystem is enabled, specifies an incorrect bitmask, which allows local users to cause a denial of service (general protection fault and system crash) by attempting to set a reserved bit. Moderate CVE-2013-2146 SUSE bug 825006 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c in the Linux kernel through 3.9.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a read operation on the fanotify descriptor. Moderate CVE-2013-2148 SUSE bug 823517 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. Moderate CVE-2013-2164 SUSE bug 824295 SUSE bug 889071 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character. Moderate CVE-2013-2174 SUSE bug 824517 SUSE bug 917692 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance. Important CVE-2013-2186 SUSE bug 846174 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel. Moderate CVE-2013-2194 SUSE bug 823011 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "pointer dereferences" involving unexpected calculations. Moderate CVE-2013-2195 SUSE bug 823011 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "other problems" that are not CVE-2013-2194 or CVE-2013-2195. Moderate CVE-2013-2196 SUSE bug 823011 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. Important CVE-2013-2206 SUSE bug 781018 SUSE bug 826102 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system. Moderate CVE-2013-2207 SUSE bug 830257 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling caches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. Moderate CVE-2013-2212 SUSE bug 826718 SUSE bug 831120 SUSE bug 846849 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. Moderate CVE-2013-2232 SUSE bug 827750 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. Low CVE-2013-2234 SUSE bug 827749 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the new_msg_lsa_change_notify function in the OSPFD API (ospf_api.c) in Quagga before 0.99.22.2, when --enable-opaque-lsa and the -a command line option are used, allows remote attackers to cause a denial of service (crash) via a large LSA. Moderate CVE-2013-2236 SUSE bug 828117 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. Moderate CVE-2013-2237 SUSE bug 828119 SUSE Linux Enterprise Server 11 SP3 libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, 9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows remote attackers to cause a denial of service (memory consumption) via a crafted regular expression, as demonstrated by a memory-exhaustion attack against a machine running a named process. Moderate CVE-2013-2266 SUSE bug 811876 SUSE bug 811934 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2384, and CVE-2013-2420. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "handling of [a] glyph table" in the International Components for Unicode (ICU) Layout Engine before 51.2. Important CVE-2013-2383 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE bug 932310 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2383, and CVE-2013-2420. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "font layout" in the International Components for Unicode (ICU) Layout Engine before 51.2. Important CVE-2013-2384 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE bug 932310 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2432 and CVE-2013-1491. Moderate CVE-2013-2394 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-3744. Moderate CVE-2013-2400 SUSE bug 825624 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "XML security and the class loader." Moderate CVE-2013-2407 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to insufficient indication of an SSL connection failure by JConsole, related to RMI connection dialog box. Moderate CVE-2013-2412 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect availability via unknown vectors related to Networking. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an information leak involving InetAddress serialization. CVE has not investigated the apparent discrepancy between vendor reports regarding the impact of this issue. Moderate CVE-2013-2417 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2013-2418 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "font processing errors" in the International Components for Unicode (ICU) Layout Engine before 51.2. Moderate CVE-2013-2419 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to insufficient "validation of images" in share/native/sun/awt/image/awt_ImageRep.c, possibly involving offsets. Important CVE-2013-2420 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper method-invocation restrictions by the MethodUtil trampoline class, which allows remote attackers to bypass the Java sandbox. Moderate CVE-2013-2422 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality via vectors related to JMX. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient class access checks" when "creating new instances" using MBeanInstantiator. Moderate CVE-2013-2424 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "JPEGImageWriter state corruption" when using native code, which triggers memory corruption. Moderate CVE-2013-2429 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; JavaFX 2.2.7 and earlier; and OpenJDK 6 and 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "JPEGImageReader state corruption" when using native code. Moderate CVE-2013-2430 SUSE bug 816720 SUSE bug 817157 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2394 and CVE-2013-1491. Important CVE-2013-2432 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-1540. Moderate CVE-2013-2433 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2440. Important CVE-2013-2435 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Deployment. Moderate CVE-2013-2437 SUSE bug 825624 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2435. Important CVE-2013-2440 SUSE bug 819288 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2466 and CVE-2013-2468. Moderate CVE-2013-2442 SUSE bug 825624 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2452 and CVE-2013-2455. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is due to an incorrect "checking order" within the AccessControlContext class. Moderate CVE-2013-2443 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect availability via vectors related to AWT. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not "properly manage and restrict certain resources related to the processing of fonts," possibly involving temporary files. Moderate CVE-2013-2444 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via vectors related to CORBA. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not properly enforce access restrictions for CORBA output streams. Moderate CVE-2013-2446 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to obtain a socket's local address via vectors involving inconsistencies between Socket.getLocalAddress and InetAddress.getLocalHost. Moderate CVE-2013-2447 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to insufficient "access restrictions" and "robustness of sound classes." Moderate CVE-2013-2448 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect availability via unknown vectors related to Serialization. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper handling of circular references in ObjectStreamClass. Moderate CVE-2013-2450 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Networking. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper enforcement of exclusive port binds when running on Windows, which allows attackers to bind to ports that are already in use. Low CVE-2013-2451 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2455. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "network address handling in virtual machine identifiers" and the lack of "unique and unpredictable IDs" in the java.rmi.dgc.VMID class. Moderate CVE-2013-2452 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect integrity via vectors related to JMX. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is due to a missing check for "package access" by the MBeanServer Introspector. Moderate CVE-2013-2453 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via vectors related to JDBC. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not properly restrict access to certain class packages in the SerialJavaObject class, which allows remote attackers to bypass the Java sandbox. Moderate CVE-2013-2454 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2452. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect access checks by the (1) getEnclosingClass, (2) getEnclosingMethod, and (3) getEnclosingConstructor methods. Moderate CVE-2013-2455 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Serialization. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper access checks for subclasses in the ObjectOutputStream class. Moderate CVE-2013-2456 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via vectors related to JMX. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is due to an incorrect implementation of "certain class checks" that allows remote attackers to bypass intended class restrictions. Moderate CVE-2013-2457 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via "an error related to method handles." Moderate CVE-2013-2458 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "integer overflow checks." Important CVE-2013-2459 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component. Important CVE-2013-2460 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Important CVE-2013-2462 SUSE bug 825624 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image attribute verification" in 2D. Important CVE-2013-2463 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. Important CVE-2013-2464 SUSE bug 825624 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D. Important CVE-2013-2465 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2468. Important CVE-2013-2466 SUSE bug 825624 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2466. Important CVE-2013-2468 SUSE bug 825624 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image layout verification" in 2D. Important CVE-2013-2469 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "ImagingLib byte lookup processing." Important CVE-2013-2470 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect IntegerComponentRaster size checks." Important CVE-2013-2471 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect ShortBandedRaster size checks" in 2D. Important CVE-2013-2472 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect ByteBandedRaster size checks" in 2D. Important CVE-2013-2473 SUSE bug 825624 SUSE bug 828665 SUSE bug 829212 SUSE bug 829708 SUSE Linux Enterprise Server 11 SP3 The TCP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-2475 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 The dissect_hartip function in epan/dissectors/packet-hartip.c in the HART/IP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a packet with a header that is too short. Moderate CVE-2013-2476 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 The CSN.1 dissector in Wireshark 1.8.x before 1.8.6 does not properly manage function pointers, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-2477 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 The dissect_server_info function in epan/dissectors/packet-ms-mms.c in the MS-MMS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not properly manage string lengths, which allows remote attackers to cause a denial of service (application crash) via a malformed packet that (1) triggers an integer overflow or (2) has embedded '\0' characters in a string. Moderate CVE-2013-2478 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 The dissect_mpls_echo_tlv_dd_map function in epan/dissectors/packet-mpls-echo.c in the MPLS Echo dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via invalid Sub-tlv data. Moderate CVE-2013-2479 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 The RTPS and RTPS2 dissectors in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allow remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-2480 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 Integer signedness error in the dissect_mount_dirpath_call function in epan/dissectors/packet-mount.c in the Mount dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6, when nfs_file_name_snooping is enabled, allows remote attackers to cause a denial of service (application crash) via a negative length value. Moderate CVE-2013-2481 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 The AMPQ dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-2482 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 The acn_add_dmp_data function in epan/dissectors/packet-acn.c in the ACN dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via an invalid count value in ACN_DMP_ADT_D_RE DMP data. Moderate CVE-2013-2483 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 The CIMD dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-2484 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 The FCSP dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. Moderate CVE-2013-2485 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_diagnosticrequest function in epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet. Moderate CVE-2013-2486 SUSE bug 807942 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet, related to the (1) dissect_icecandidates, (2) dissect_kinddata, (3) dissect_nodeid_list, (4) dissect_storeans, (5) dissect_storereq, (6) dissect_storeddataspecifier, (7) dissect_fetchreq, (8) dissect_findans, (9) dissect_diagnosticinfo, (10) dissect_diagnosticresponse, (11) dissect_reload_messagecontents, and (12) dissect_reload_message functions, a different vulnerability than CVE-2013-2486. Moderate CVE-2013-2487 SUSE bug 807942 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 The DTLS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not validate the fragment offset before invoking the reassembly state machine, which allows remote attackers to cause a denial of service (application crash) via a large offset value that triggers write access to an invalid memory location. Moderate CVE-2013-2488 SUSE bug 807942 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header. Moderate CVE-2013-2765 SUSE bug 822664 SUSE Linux Enterprise Server 11 SP3 sudo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on systems without /proc or the sysctl function with the tty_tickets option enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. Low CVE-2013-2776 SUSE bug 806921 SUSE bug 817349 SUSE Linux Enterprise Server 11 SP3 sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to a session without a controlling terminal device and connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. Low CVE-2013-2777 SUSE bug 806921 SUSE bug 817349 SUSE bug 817350 SUSE Linux Enterprise Server 11 SP3 Heap-based buffer overflow in the iscsi_add_notunderstood_response function in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target subsystem in the Linux kernel through 3.9.4 allows remote attackers to cause a denial of service (memory corruption and OOPS) or possibly execute arbitrary code via a long key that is not properly handled during construction of an error-response packet. Important CVE-2013-2850 SUSE bug 821560 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Format string vulnerability in the register_disk function in block/genhd.c in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and writing format string specifiers to /sys/module/md_mod/parameters/new_array in order to create a crafted /dev/md device name. Moderate CVE-2013-2851 SUSE bug 822575 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. Moderate CVE-2013-2852 SUSE bug 822579 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state. Moderate CVE-2013-2877 SUSE bug 1123919 SUSE bug 828893 SUSE bug 829077 SUSE bug 854869 SUSE bug 877506 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. Moderate CVE-2013-2889 SUSE bug 835839 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. Moderate CVE-2013-2893 SUSE bug 835839 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allow physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. Moderate CVE-2013-2897 SUSE bug 835839 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device. Moderate CVE-2013-2899 SUSE bug 835839 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. Moderate CVE-2013-2929 SUSE bug 824295 SUSE bug 847652 SUSE bug 889071 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application. Moderate CVE-2013-2930 SUSE bug 849362 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDSA signature verification, allows remote attackers to authenticate as other users via an invalid signature. Moderate CVE-2013-2944 SUSE bug 815236 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3008. Important CVE-2013-3006 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 6.0.1 before 6.0.1 SR6 and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3006. Important CVE-2013-3007 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3006. Important CVE-2013-3008 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The com.ibm.CORBA.iiop.ClientDelegate class in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 improperly exposes the invoke method of the java.lang.reflect.Method class, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to the AccessController doPrivileged block. Important CVE-2013-3009 SUSE bug 829212 SUSE bug 977650 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 6.0.1 before 6.0.1 SR6 and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3007. Important CVE-2013-3010 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3009 and CVE-2013-3012. Important CVE-2013-3011 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3009 and CVE-2013-3011. Important CVE-2013-3012 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The crypto API in the Linux kernel through 3.9-rc8 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call, related to the hash_recvmsg function in crypto/algif_hash.c and the skcipher_recvmsg function in crypto/algif_skcipher.c. Low CVE-2013-3076 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3222 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3223 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3224 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3225 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3227 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3228 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3229 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3231 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3232 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3234 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. Low CVE-2013-3235 SUSE bug 816668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ftrace implementation in the Linux kernel before 3.8.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for write access to the (1) set_ftrace_pid or (2) set_graph_function file, and then making an lseek system call. Moderate CVE-2013-3301 SUSE bug 815256 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-gtpv2.c in the GTPv2 dissector in Wireshark 1.8.x before 1.8.7 calls incorrect functions in certain contexts related to ciphers, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-3555 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The fragment_add_seq_common function in epan/reassemble.c in the ASN.1 BER dissector in Wireshark before r48943 has an incorrect pointer dereference during a comparison, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-3556 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_ber_choice function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.6.x before 1.6.15 and 1.8.x before 1.8.7 does not properly initialize a certain variable, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-3557 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_ccp_bsdcomp_opt function in epan/dissectors/packet-ppp.c in the PPP CCP dissector in Wireshark 1.8.x before 1.8.7 does not terminate a bit-field list, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-3558 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-dcp-etsi.c in the DCP ETSI dissector in Wireshark 1.8.x before 1.8.7 uses incorrect integer data types, which allows remote attackers to cause a denial of service (integer overflow, and heap memory corruption or NULL pointer dereference, and application crash) via a malformed packet. Moderate CVE-2013-3559 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_dsmcc_un_download function in epan/dissectors/packet-mpeg-dsmcc.c in the MPEG DSM-CC dissector in Wireshark 1.8.x before 1.8.7 uses an incorrect format string, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-3560 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in Wireshark 1.8.x before 1.8.7 allow remote attackers to cause a denial of service (loop or application crash) via a malformed packet, related to a crash of the Websocket dissector, an infinite loop in the MySQL dissector, and a large loop in the ETCH dissector. Moderate CVE-2013-3561 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer signedness errors in the tvb_unmasked function in epan/dissectors/packet-websocket.c in the Websocket dissector in Wireshark 1.8.x before 1.8.7 allow remote attackers to cause a denial of service (application crash) via a malformed packet. Moderate CVE-2013-3562 SUSE bug 820566 SUSE bug 820973 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. Critical CVE-2013-3567 SUSE bug 1040151 SUSE bug 825878 SUSE bug 880224 SUSE Linux Enterprise Server 11 SP3-TERADATA socat 1.2.0.0 before 1.7.2.2 and 2.0.0-b1 before 2.0.0-b6, when used for a listen type address and the fork option is enabled, allows remote attackers to cause a denial of service (file descriptor consumption) via multiple request that are refused based on the (1) sourceport, (2) lowport, (3) range, or (4) tcpwrap restrictions. Moderate CVE-2013-3571 SUSE bug 821985 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 45 and earlier and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. Important CVE-2013-3743 SUSE bug 825624 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2400. Moderate CVE-2013-3744 SUSE bug 825624 SUSE bug 829212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Parser. Moderate CVE-2013-3783 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language. Moderate CVE-2013-3793 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Partition. Moderate CVE-2013-3794 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language. Moderate CVE-2013-3795 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. Moderate CVE-2013-3796 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote attackers to affect integrity and availability via unknown vectors related to MemCached. Moderate CVE-2013-3798 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options. Moderate CVE-2013-3801 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Full Text Search. Moderate CVE-2013-3802 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. Moderate CVE-2013-3804 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Prepared Statements. Moderate CVE-2013-3805 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-3811. Moderate CVE-2013-3806 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Server Privileges. Moderate CVE-2013-3807 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options. Moderate CVE-2013-3808 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Audit Log. Moderate CVE-2013-3809 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to XA Transactions. Moderate CVE-2013-3810 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-3806. Moderate CVE-2013-3811 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Replication. Moderate CVE-2013-3812 SUSE bug 830086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java SE, Java SE Embedded component in Oracle Java SE Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. Important CVE-2013-3829 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names. Important CVE-2013-4002 SUSE bug 829212 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in IBM Java SDK 5.0.0 before SR16 FP4, 7.0.0 before SR6, 6.0.1 before SR7, and 6.0.0 before SR15 allows remote attackers to access restricted classes via unspecified vectors. Important CVE-2013-4041 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Moderate CVE-2013-4073 SUSE bug 827265 SUSE bug 834601 SUSE bug 839107 SUSE bug 876588 SUSE bug 880222 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_capwap_data function in epan/dissectors/packet-capwap.c in the CAPWAP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before 1.8.8 incorrectly uses a -1 data value to represent an error condition, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-4074 SUSE bug 824900 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-gmr1_bcch.c in the GMR-1 BCCH dissector in Wireshark 1.8.x before 1.8.8 does not properly initialize memory, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-4075 SUSE bug 824900 SUSE bug 836146 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the dissect_iphc_crtp_fh function in epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-4076 SUSE bug 824900 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Array index error in the NBAP dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to nbap.cnf and packet-nbap.c. Moderate CVE-2013-4077 SUSE bug 824900 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-rdp.c in the RDP dissector in Wireshark 1.8.x before 1.8.8 does not validate return values during checks for data availability, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-4078 SUSE bug 824900 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_schedule_message function in epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial of service (infinite loop and application hang) via a crafted packet. Moderate CVE-2013-4079 SUSE bug 824900 SUSE bug 836146 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_r3_upstreamcommand_queryconfig function in epan/dissectors/packet-assa_r3.c in the Assa Abloy R3 dissector in Wireshark 1.8.x before 1.8.8 does not properly handle a zero-length item, which allows remote attackers to cause a denial of service (infinite loop, and CPU and memory consumption) via a crafted packet. Moderate CVE-2013-4080 SUSE bug 824900 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The http_payload_subdissector function in epan/dissectors/packet-http.c in the HTTP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before 1.8.8 does not properly determine when to use a recursive approach, which allows remote attackers to cause a denial of service (stack consumption) via a crafted packet. Moderate CVE-2013-4081 SUSE bug 824900 SUSE bug 836116 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The vwr_read function in wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 1.8.x before 1.8.8 does not validate the relationship between a record length and a trailer length, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted packet. Moderate CVE-2013-4082 SUSE bug 824900 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the DCP ETSI dissector in Wireshark 1.6.x before 1.6.16, 1.8.x before 1.8.8, and 1.10.0 does not validate a certain fragment length value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-4083 SUSE bug 824900 SUSE bug 831718 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. Important CVE-2013-4113 SUSE bug 829207 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request. Moderate CVE-2013-4115 SUSE bug 829084 SUSE bug 880233 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet. Moderate CVE-2013-4124 SUSE bug 829969 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA KDE-Workspace 4.10.5 and earlier does not properly handle the return value of the glibc 2.17 crypt and pw_encrypt functions, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via (1) an invalid salt or a (2) DES or (3) MD5 encrypted password, when FIPS-140 is enable, to KDM or an (4) invalid password to KCheckPass. Low CVE-2013-4132 SUSE bug 829857 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Low CVE-2013-4133 SUSE bug 829857 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. Moderate CVE-2013-4162 SUSE bug 831058 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel through 3.10.3 does not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. Moderate CVE-2013-4163 SUSE bug 831055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse. Critical CVE-2013-4164 SUSE bug 851803 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size. Moderate CVE-2013-4231 SUSE bug 834477 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted TIFF image. Moderate CVE-2013-4232 SUSE bug 834477 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted (1) NTFS or (2) CIFS image. Moderate CVE-2013-4237 SUSE bug 834594 SUSE bug 882910 SUSE bug 920055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Moderate CVE-2013-4238 SUSE bug 834601 SUSE bug 839107 SUSE bug 882915 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. Moderate CVE-2013-4242 SUSE bug 831359 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted height and width values in a GIF image. Moderate CVE-2013-4243 SUSE bug 834779 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted GIF image. Moderate CVE-2013-4244 SUSE bug 834788 SUSE bug 854393 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2013-4245 SUSE bug 916835 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Moderate CVE-2013-4248 SUSE bug 837746 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in LittleCMS (aka lcms or liblcms) 1.19 and earlier allow remote attackers to cause a denial of service (crash) via a crafted (1) ICC color profile to the icctrans utility or (2) TIFF image to the tiffdiff utility. Moderate CVE-2013-4276 SUSE bug 843716 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The remoteDispatchDomainMemoryStats function in daemon/remote.c in libvirt 0.9.1 through 0.10.1.x, 0.10.2.x before 0.10.2.8, 1.0.x before 1.0.5.6, and 1.1.x before 1.1.2 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via a crafted RPC call. Important CVE-2013-4296 SUSE bug 836931 SUSE bug 838638 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device. Moderate CVE-2013-4299 SUSE bug 846404 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c. Moderate CVE-2013-4312 SUSE bug 839104 SUSE bug 922947 SUSE bug 968014 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. Moderate CVE-2013-4316 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. Moderate CVE-2013-4322 SUSE bug 865746 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The check_permission_v1 function in base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.9 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process. Moderate CVE-2013-4325 SUSE bug 808355 SUSE bug 836931 SUSE bug 836932 SUSE bug 836937 SUSE bug 852368 SUSE bug 864716 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in malloc/malloc.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the (1) pvalloc, (2) valloc, (3) posix_memalign, (4) memalign, or (5) aligned_alloc functions. Moderate CVE-2013-4332 SUSE bug 839870 SUSE bug 882910 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA xinetd does not enforce the user and group configuration directives for TCPMUX services, which causes these services to be run as root and makes it easier for remote attackers to gain privileges by leveraging another vulnerability in a service. Low CVE-2013-4342 SUSE bug 844230 SUSE bug 855685 SUSE bug 882917 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command. Moderate CVE-2013-4344 SUSE bug 842006 SUSE bug 871442 SUSE bug 880751 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c in the Linux kernel through 3.11.4 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via multiple requests for small amounts of data, leading to improper management of the state of the consumed data. Moderate CVE-2013-4345 SUSE bug 840226 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. Low CVE-2013-4351 SUSE bug 840510 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. Moderate CVE-2013-4355 SUSE bug 840592 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2013-4357 SUSE bug 844309 SUSE bug 883217 SUSE bug 903057 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. Moderate CVE-2013-4361 SUSE bug 840592 SUSE bug 841766 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. Moderate CVE-2013-4368 SUSE bug 840592 SUSE bug 842511 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xlu_vif_parse_rate function in the libxlu library in Xen 4.2.x and 4.3.x allows local users to cause a denial of service (NULL pointer dereference) by using the "@" character as the VIF rate configuration. Moderate CVE-2013-4369 SUSE bug 840592 SUSE bug 842512 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free. Low CVE-2013-4370 SUSE bug 840592 SUSE bug 842513 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the libxl_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when running "under memory pressure," returns the original pointer when the realloc function fails, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors. Moderate CVE-2013-4371 SUSE bug 840592 SUSE bug 842514 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors. Low CVE-2013-4375 SUSE bug 840592 SUSE bug 842515 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure. Important CVE-2013-4396 SUSE bug 843652 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. Important CVE-2013-4402 SUSE bug 844175 SUSE bug 941439 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba 3.x before 3.6.22, 4.0.x before 4.0.13, and 4.1.x before 4.1.3 allows remote AD domain controllers to execute arbitrary code via an invalid fragment length in a DCE-RPC packet. Important CVE-2013-4408 SUSE bug 844720 SUSE bug 848101 SUSE bug 882906 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Ocaml xenstored implementation (oxenstored) in Xen 4.1.x, 4.2.x, and 4.3.x allows local guest domains to cause a denial of service (domain shutdown) via a large message reply. Moderate CVE-2013-4416 SUSE bug 840592 SUSE bug 845520 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when using the --remote or --listen option, does not properly check the ownership of /tmp/.guestfish-$UID/ when creating a temporary socket file in this directory, which allows local users to write to the socket and execute arbitrary commands by creating /tmp/.guestfish-$UID/ in advance. Important CVE-2013-4419 SUSE bug 845720 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search. Moderate CVE-2013-4449 SUSE bug 846389 SUSE bug 905959 SUSE bug 916897 SUSE bug 916914 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.18 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of AF_INET6 address results. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1914. Moderate CVE-2013-4458 SUSE bug 847227 SUSE bug 883217 SUSE bug 941444 SUSE bug 955181 SUSE bug 967023 SUSE bug 980483 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. Important CVE-2013-4470 SUSE bug 847672 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Samba 3.2.x through 3.6.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS). Moderate CVE-2013-4475 SUSE bug 848101 SUSE bug 880220 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application. Moderate CVE-2013-4483 SUSE bug 848321 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. Moderate CVE-2013-4494 SUSE bug 848657 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts. Moderate CVE-2013-4496 SUSE bug 849224 SUSE bug 866844 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c. Moderate CVE-2013-4511 SUSE bug 849021 SUSE bug 850263 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions. Moderate CVE-2013-4514 SUSE bug 849029 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call. Moderate CVE-2013-4515 SUSE bug 849034 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers. Moderate CVE-2013-4527 SUSE bug 864673 SUSE bug 871442 SUSE bug 964746 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image. Moderate CVE-2013-4529 SUSE bug 864678 SUSE bug 871442 SUSE bug 964929 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image. Moderate CVE-2013-4530 SUSE bug 864682 SUSE bug 871442 SUSE bug 964950 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image. Moderate CVE-2013-4533 SUSE bug 864655 SUSE bug 871442 SUSE bug 964644 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements. Moderate CVE-2013-4534 SUSE bug 864811 SUSE bug 871442 SUSE bug 964452 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image. Moderate CVE-2013-4537 SUSE bug 864391 SUSE bug 871442 SUSE bug 962642 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image. Moderate CVE-2013-4538 SUSE bug 864769 SUSE bug 871442 SUSE bug 962335 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image. Moderate CVE-2013-4539 SUSE bug 864805 SUSE bug 871442 SUSE bug 962758 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image. Moderate CVE-2013-4540 SUSE bug 864801 SUSE bug 871442 SUSE bug 880751 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value. Moderate CVE-2013-4541 SUSE bug 864802 SUSE bug 871442 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Moderate CVE-2013-4545 SUSE bug 849596 SUSE bug 870444 SUSE bug 880252 SUSE bug 882520 SUSE bug 924250 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack. Moderate CVE-2013-4549 SUSE bug 1039291 SUSE bug 856832 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 4.2.x and 4.3.x, when nested virtualization is disabled, does not properly check the emulation paths for (1) VMLAUNCH and (2) VMRESUME, which allows local HVM guest users to cause a denial of service (host crash) via unspecified vectors related to "guest VMX instruction execution." Moderate CVE-2013-4551 SUSE bug 848657 SUSE bug 849665 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). Moderate CVE-2013-4553 SUSE bug 848657 SUSE bug 849667 SUSE bug 849668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. Moderate CVE-2013-4554 SUSE bug 848657 SUSE bug 849668 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 mod_nss 1.0.8 and earlier, when NSSVerifyClient is set to none for the server/vhost context, does not enforce the NSSVerifyClient setting in the directory context, which allows remote attackers to bypass intended access restrictions. Moderate CVE-2013-4566 SUSE bug 853039 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. Moderate CVE-2013-4579 SUSE bug 851426 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. Important CVE-2013-4587 SUSE bug 853050 SUSE bug 882914 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_main.c in the Linux kernel before 3.9 allows local users to cause a denial of service (memory consumption) by leveraging certain device access to trigger movement of memory slots. Moderate CVE-2013-4592 SUSE bug 851101 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. Moderate CVE-2013-4635 SUSE bug 828020 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master. Moderate CVE-2013-4761 SUSE bug 835122 SUSE bug 836962 SUSE bug 880224 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address. Moderate CVE-2013-4788 SUSE bug 830268 SUSE bug 882910 SUSE bug 950944 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and 9.9.4-S1b1, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query with a malformed RDATA section that is not properly handled during construction of a log message, as exploited in the wild in July 2013. Moderate CVE-2013-4854 SUSE bug 831899 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The parseFields function in epan/dissectors/packet-dis-pdus.c in the DIS dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not terminate packet-data processing after finding zero remaining bytes, which allows remote attackers to cause a denial of service (loop) via a crafted packet. Moderate CVE-2013-4929 SUSE bug 831718 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_dvbci_tpdu_hdr function in epan/dissectors/packet-dvbci.c in the DVB-CI dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not validate a certain length value before decrementing it, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet. Moderate CVE-2013-4930 SUSE bug 831718 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/proto.c in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (loop) via a crafted packet that is not properly handled by the GSM RR dissector. Moderate CVE-2013-4931 SUSE bug 831718 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple array index errors in epan/dissectors/packet-gsm_a_common.c in the GSM A Common dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allow remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-4932 SUSE bug 831718 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The netmon_open function in wiretap/netmon.c in the Netmon file parser in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) via a crafted packet-trace file. Moderate CVE-2013-4933 SUSE bug 831718 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The netmon_open function in wiretap/netmon.c in the Netmon file parser in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not initialize certain structure members, which allows remote attackers to cause a denial of service (application crash) via a crafted packet-trace file. Moderate CVE-2013-4934 SUSE bug 831718 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_per_length_determinant function in epan/dissectors/packet-per.c in the ASN.1 PER dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not initialize a length field in certain abnormal situations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-4935 SUSE bug 831718 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files. Moderate CVE-2013-4969 SUSE bug 856843 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The is_asn1 function in strongSwan 4.1.11 through 5.0.4 does not properly validate the return value of the asn1_length function, which allows remote attackers to cause a denial of service (segmentation fault) via a (1) XAuth username, (2) EAP identity, or (3) PEM encoded file that starts with a 0x04, 0x30, or 0x31 character followed by an ASN.1 length value that triggers an integer overflow. Moderate CVE-2013-5018 SUSE bug 833278 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. Moderate CVE-2013-5211 SUSE bug 857195 SUSE bug 889447 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The XML4J parser in IBM WebSphere Message Broker 6.1 before 6.1.0.12, 7.0 before 7.0.0.7, and 8.0 before 8.0.0.4 and IBM Integration Bus 9.0 before 9.0.0.1 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document that triggers expansion for many entities. Moderate CVE-2013-5372 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in IBM Java SDK 7.0.0 before SR6, 6.0.1 before SR7, 6.0.0 before SR15, and 5.0.0 before SR16 FP4 allows remote attackers to access restricted classes via unspecified vectors related to XML and XSL. Moderate CVE-2013-5375 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The com.ibm.rmi.io.SunSerializableFactory class in IBM Java SDK 7.0.0 before SR6 allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code via vectors related to deserialization inside the AccessController doPrivileged block. Moderate CVE-2013-5456 SUSE bug 849212 SUSE bug 977646 SUSE bug 981057 SUSE bug 981060 SUSE bug 981087 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in IBM Java SDK 7.0.0 before SR6, 6.0.1 before SR7, and 6.0.0 before SR15 allows remote attackers to execute arbitrary code via unspecified vectors. Important CVE-2013-5457 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in IBM Java SDK 7.0.0 before SR6 allows remote attackers to execute arbitrary code via unspecified vectors. Important CVE-2013-5458 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets. Moderate CVE-2013-5605 SUSE bug 850148 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate. Moderate CVE-2013-5606 SUSE bug 850148 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741. Moderate CVE-2013-5607 SUSE bug 850148 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2013-5609 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2013-5610 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 26.0 does not properly remove the Application Installation doorhanger, which makes it easier for remote attackers to spoof a Web App installation site by controlling the timing of page navigation. Moderate CVE-2013-5611 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header. Moderate CVE-2013-5612 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the PresShell::DispatchSynthMouseMove function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving synthetic mouse movement, related to the RestyleManager::GetHoverGeneration function. Moderate CVE-2013-5613 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 26.0 and SeaMonkey before 2.23 do not properly consider the sandbox attribute of an IFRAME element during processing of a contained OBJECT element, which allows remote attackers to bypass intended sandbox restrictions via a crafted web site. Moderate CVE-2013-5614 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The JavaScript implementation in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 does not properly enforce certain typeset restrictions on the generation of GetElementIC typed array stubs, which has unspecified impact and remote attack vectors. Moderate CVE-2013-5615 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsEventListenerManager::HandleEventSubType function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to mListeners event listeners. Moderate CVE-2013-5616 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsNodeUtils::LastRelease function in the table-editing user interface in the editor component in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code by triggering improper garbage collection. Moderate CVE-2013-5618 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the binary-search implementation in SpiderMonkey in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 might allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JavaScript code. Moderate CVE-2013-5619 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The virBitmapParse function in util/virbitmap.c in libvirt before 1.1.2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a crafted bitmap, as demonstrated by a large nodeset value to numatune. Moderate CVE-2013-5651 SUSE bug 837999 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The getenv and filenameforall functions in Ghostscript 9.10 ignore the "-dSAFER" argument, which allows remote attackers to read data via a crafted postscript file. Important CVE-2013-5653 SUSE bug 1001951 SUSE bug 1004237 SUSE bug 1036453 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." Low CVE-2013-5704 SUSE bug 871310 SUSE bug 914535 SUSE bug 915666 SUSE bug 930944 SUSE bug 938728 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. Moderate CVE-2013-5705 SUSE bug 871309 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The vino_server_client_data_pending function in vino-server.c in GNOME Vino 2.26.1, 2.32.1, 3.7.3, and earlier, and 3.8 when encryption is disabled, does not properly clear client data when an error causes the connection to close during authentication, which allows remote attackers to cause a denial of service (infinite loop, CPU and disk consumption) via multiple crafted requests during authentication. Important CVE-2013-5745 SUSE bug 843174 SUSE bug 880231 SUSE bug 880271 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u40 and earlier and Java SE 6u60 and earlier allows remote attackers to affect integrity via unknown vectors related to jhat. Moderate CVE-2013-5772 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, 6u60 and earlier, 5.0u51 and earlier, and Embedded 7u40 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries. Important CVE-2013-5774 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment. Moderate CVE-2013-5776 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, 6u60 and earlier, 5.0u51 and earlier, and Embedded 7u40 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D. Moderate CVE-2013-5778 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries. Moderate CVE-2013-5780 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2013-5782 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Swing. Moderate CVE-2013-5783 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect integrity via vectors related to SCRIPTING. Moderate CVE-2013-5784 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5789, CVE-2013-5824, CVE-2013-5832, and CVE-2013-5852. Important CVE-2013-5787 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Important CVE-2013-5788 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5787, CVE-2013-5824, CVE-2013-5832, and CVE-2013-5852. Important CVE-2013-5789 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality via vectors related to BEANS. Important CVE-2013-5790 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and JavaFX 2.2.40 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Javadoc. Low CVE-2013-5797 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality via vectors related to JGSS. Moderate CVE-2013-5800 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D. Moderate CVE-2013-5801 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP. Moderate CVE-2013-5802 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via vectors related to JGSS. Important CVE-2013-5803 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, and JRockit R27.7.6 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Javadoc. Moderate CVE-2013-5804 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-5829. Important CVE-2013-5809 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment. Important CVE-2013-5812 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. Important CVE-2013-5814 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JNDI. Important CVE-2013-5817 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5819 and CVE-2013-5831. Moderate CVE-2013-5818 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5818 and CVE-2013-5831. Important CVE-2013-5819 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect integrity via vectors related to JAX-WS. Moderate CVE-2013-5820 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via unknown vectors related to Security. Important CVE-2013-5823 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5787, CVE-2013-5789, CVE-2013-5832, and CVE-2013-5852. Important CVE-2013-5824 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via vectors related to JAXP. Moderate CVE-2013-5825 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-5809. Important CVE-2013-5829 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Important CVE-2013-5830 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5818 and CVE-2013-5819. Moderate CVE-2013-5831 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5787, CVE-2013-5789, CVE-2013-5824, and CVE-2013-5852. Important CVE-2013-5832 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u25 and earlier, and Java SE Embedded 7u25 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Important CVE-2013-5838 SUSE bug 846177 SUSE bug 849212 SUSE bug 972468 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries. Moderate CVE-2013-5840 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-5850. Moderate CVE-2013-5842 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JavaFX 2.2.40 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2013-5843 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and JavaFX 2.2.40 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment. Moderate CVE-2013-5848 SUSE bug 846177 SUSE bug 849212 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality via vectors related to AWT. Moderate CVE-2013-5849 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-5842. Important CVE-2013-5850 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u40 and earlier and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality via vectors related to JAXP. Moderate CVE-2013-5851 SUSE bug 846177 SUSE bug 846999 SUSE bug 849212 SUSE bug 852367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via vectors related to GIS. Moderate CVE-2013-5860 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the Security component does not properly handle null XML namespace (xmlns) attributes during XML document canonicalization, which allows attackers to escape the sandbox. Moderate CVE-2013-5878 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2014-0431. Moderate CVE-2013-5881 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Stored Procedures. Moderate CVE-2013-5882 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an incorrect check for code permissions by CORBA stub factories. Moderate CVE-2013-5884 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect availability via unknown vectors related to Deployment. Moderate CVE-2013-5887 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, when running with GNOME, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2013-5888 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424. Important CVE-2013-5889 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. Moderate CVE-2013-5891 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. Moderate CVE-2013-5894 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect availability via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that com.sun.corba.se and its sub-packages are not included on the restricted package list. Moderate CVE-2013-5896 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-0375 and CVE-2014-0403. Moderate CVE-2013-5898 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality via unknown vectors related to Deployment. Moderate CVE-2013-5899 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is due to incorrect input validation in LookupProcessor.cpp in the ICU Layout Engine, which allows attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted font file. Moderate CVE-2013-5907 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling. Low CVE-2013-5908 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that CanonicalizerBase.java in the XML canonicalizer allows untrusted code to access mutable byte arrays. Moderate CVE-2013-5910 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ieee802154_map_rec function in epan/dissectors/packet-ieee802154.c in the IEEE 802.15.4 dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 uses an incorrect pointer chain, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-6336 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the NBAP dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-6337 SUSE bug 848738 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_sip_common function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-6338 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_openwire_type function in epan/dissectors/packet-openwire.c in the OpenWire dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 allows remote attackers to cause a denial of service (loop) via a crafted packet. Moderate CVE-2013-6339 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-tcp.c in the TCP dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 does not properly determine the amount of remaining data, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-6340 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. Moderate CVE-2013-6367 SUSE bug 853051 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. Moderate CVE-2013-6368 SUSE bug 853052 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode. Moderate CVE-2013-6376 SUSE bug 853053 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. Moderate CVE-2013-6378 SUSE bug 852559 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command. Moderate CVE-2013-6380 SUSE bug 852373 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. Moderate CVE-2013-6382 SUSE bug 852553 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call. Moderate CVE-2013-6383 SUSE bug 852558 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been assigned, does not clear the flag that suppresses IOMMU TLB flushes when unspecified errors occur, which causes the TLB entries to not be flushed and allows local guest administrators to cause a denial of service (host crash) or gain privileges via unspecified vectors. Moderate CVE-2013-6400 SUSE bug 853048 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hp-pkservice.log temporary file. Moderate CVE-2013-6402 SUSE bug 852368 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The transform_save function in transform.c in Augeas 1.0.0 through 1.1.0 does not properly calculate the permission values when the umask contains a "7," which causes world-writable permissions to be used for new files and allows local users to modify the files via unspecified vectors. Moderate CVE-2013-6412 SUSE bug 853044 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA PyWBEM 0.7 and earlier uses a separate connection to validate X.509 certificates, which allows man-in-the-middle attackers to spoof a peer via an arbitrary certificate. Moderate CVE-2013-6418 SUSE bug 856323 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function. Important CVE-2013-6420 SUSE bug 854880 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. Moderate CVE-2013-6424 SUSE bug 853846 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. Moderate CVE-2013-6425 SUSE bug 853824 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory. Important CVE-2013-6435 SUSE bug 1101137 SUSE bug 906803 SUSE bug 908128 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not properly check the status of LXC guests when reading memory tunables, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) via a guest in the shutdown status, as demonstrated by the "virsh memtune" command. Moderate CVE-2013-6436 SUSE bug 854486 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request. Moderate CVE-2013-6438 SUSE bug 869105 SUSE bug 869106 SUSE bug 887765 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The lxc-sshd template (templates/lxc-sshd.in) in LXC before 1.0.0.beta2 uses read-write permissions when mounting /sbin/init, which allows local users to gain privileges by modifying the init file. Low CVE-2013-6441 SUSE bug 855809 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to "paths under /proc/$PID/root" and the virInitctlSetRunLevel function. Moderate CVE-2013-6456 SUSE bug 857490 SUSE bug 868943 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command. Moderate CVE-2013-6458 SUSE bug 857492 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file. Moderate CVE-2013-6462 SUSE bug 854915 SUSE bug 882908 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-7266, CVE-2013-7267, CVE-2013-7268, CVE-2013-7269, CVE-2013-7270, CVE-2013-7271. Reason: This candidate is a duplicate of CVE-2013-7266, CVE-2013-7267, CVE-2013-7268, CVE-2013-7269, CVE-2013-7270, and CVE-2013-7271. Notes: All CVE users should reference CVE-2013-7266, CVE-2013-7267, CVE-2013-7268, CVE-2013-7269, CVE-2013-7270, and/or CVE-2013-7271 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Low CVE-2013-6463 SUSE bug 854722 SUSE bug 857643 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA clamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service (crash) as demonstrated by the jwplayer.js file. Moderate CVE-2013-6497 SUSE bug 1040662 SUSE bug 906077 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c. Moderate CVE-2013-6501 SUSE bug 917302 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. Moderate CVE-2013-6629 SUSE bug 850430 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code via crafted use of JavaScript code for ordered list elements. Moderate CVE-2013-6671 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 26.0 and SeaMonkey before 2.23 on Linux allow user-assisted remote attackers to read clipboard data by leveraging certain middle-click paste operations. Moderate CVE-2013-6672 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 do not recognize a user's removal of trust from an EV X.509 certificate, which makes it easier for man-in-the-middle attackers to spoof SSL servers in opportunistic circumstances via a valid certificate that is unacceptable to the user. Moderate CVE-2013-6673 SUSE bug 854370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification. Low CVE-2013-6712 SUSE bug 853045 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. Moderate CVE-2013-6885 SUSE bug 849668 SUSE bug 852967 SUSE bug 853049 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c. Moderate CVE-2013-6954 SUSE bug 856522 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ieee80211_radiotap_iterator_init function in net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check whether a frame contains any data outside of the header, which might allow attackers to cause a denial of service (buffer over-read) via a crafted header. Moderate CVE-2013-7027 SUSE bug 854634 SUSE Linux Enterprise Server 11 SP3-TERADATA The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack. Moderate CVE-2013-7041 SUSE bug 1123794 SUSE bug 854480 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read. Moderate CVE-2013-7108 SUSE bug 856837 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_sip_common function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4 does not check for empty lines, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Important CVE-2013-7112 SUSE bug 856498 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-bssgp.c in the BSSGP dissector in Wireshark 1.10.x before 1.10.4 incorrectly relies on a global variable, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2013-7113 SUSE bug 856495 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in the create_ntlmssp_v2_key function in epan/dissectors/packet-ntlmssp.c in the NTLMSSP v2 dissector in Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4 allow remote attackers to cause a denial of service (application crash) via a long domain name in a packet. Important CVE-2013-7114 SUSE bug 856496 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack. Moderate CVE-2013-7252 SUSE bug 857200 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. Moderate CVE-2013-7263 SUSE bug 853040 SUSE bug 857643 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. Moderate CVE-2013-7264 SUSE bug 853040 SUSE bug 857643 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. Moderate CVE-2013-7265 SUSE bug 853040 SUSE bug 857643 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. Moderate CVE-2013-7339 SUSE bug 869563 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow. Moderate CVE-2013-7353 SUSE bug 873124 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow. Moderate CVE-2013-7354 SUSE bug 873123 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function. Moderate CVE-2013-7423 SUSE bug 915526 SUSE OpenStack Cloud 5 noVNC before 0.5 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. Moderate CVE-2013-7436 SUSE bug 922233 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple off-by-one errors in the (1) MakeBigReq and (2) SetReqLen macros in include/X11/Xlibint.h in X11R6.x and libX11 before 1.6.0 allow remote attackers to have unspecified impact via a crafted request, which triggers a buffer overflow. Moderate CVE-2013-7439 SUSE bug 927220 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel before 4.3.3 allows local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls. Moderate CVE-2013-7446 SUSE bug 955654 SUSE bug 955837 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the gdk_cairo_set_source_pixbuf function in gdk/gdkcairo.c in GTK+ before 3.9.8, as used in eom, gnome-photos, eog, gambas3, thunar, pinpoint, and possibly other applications, allows remote attackers to cause a denial of service (crash) via a large image file, which triggers a large memory allocation. Moderate CVE-2013-7447 SUSE bug 966682 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. Critical CVE-2013-7459 SUSE bug 1017420 SUSE bug 1047666 SUSE bug 1087140 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string. Moderate CVE-2014-0001 SUSE bug 861493 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. Moderate CVE-2014-0015 SUSE bug 858673 SUSE bug 868627 SUSE bug 880252 SUSE bug 882520 SUSE bug 927556 SUSE bug 962983 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CONNECT address in the command line. Low CVE-2014-0019 SUSE bug 860991 SUSE bug 927161 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. Critical CVE-2014-0050 SUSE bug 862781 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. Moderate CVE-2014-0055 SUSE bug 870173 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command. Moderate CVE-2014-0060 SUSE bug 864845 SUSE bug 864856 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions. Moderate CVE-2014-0061 SUSE bug 864846 SUSE bug 864856 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window. Moderate CVE-2014-0062 SUSE bug 864847 SUSE bug 864856 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065. Moderate CVE-2014-0063 SUSE bug 864850 SUSE bug 864856 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector. Moderate CVE-2014-0064 SUSE bug 864851 SUSE bug 864856 SUSE bug 871307 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063. Moderate CVE-2014-0065 SUSE bug 864852 SUSE bug 864856 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors. Moderate CVE-2014-0066 SUSE bug 864853 SUSE bug 864856 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. Moderate CVE-2014-0069 SUSE bug 864025 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. Moderate CVE-2014-0076 SUSE bug 869945 SUSE bug 880891 SUSE bug 883126 SUSE bug 905106 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. Moderate CVE-2014-0077 SUSE bug 870173 SUSE bug 870576 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. Important CVE-2014-0092 SUSE bug 865804 SUSE bug 915878 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Critical CVE-2014-0096 SUSE bug 865746 SUSE bug 880346 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. Moderate CVE-2014-0098 SUSE bug 869106 SUSE bug 887765 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. Critical CVE-2014-0099 SUSE bug 865746 SUSE bug 880347 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk. Moderate CVE-2014-0101 SUSE bug 866102 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable. Moderate CVE-2014-0106 SUSE bug 866503 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. Critical CVE-2014-0107 SUSE bug 870082 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size. Moderate CVE-2014-0118 SUSE bug 1078450 SUSE bug 1095150 SUSE bug 887769 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. Critical CVE-2014-0119 SUSE bug 865746 SUSE bug 880348 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management. Moderate CVE-2014-0128 SUSE bug 867533 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. Moderate CVE-2014-0131 SUSE bug 824295 SUSE bug 867723 SUSE bug 869564 SUSE bug 889071 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015. Moderate CVE-2014-0138 SUSE bug 868627 SUSE bug 880252 SUSE bug 882520 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. Moderate CVE-2014-0139 SUSE bug 868629 SUSE bug 880252 SUSE bug 882520 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c. Important CVE-2014-0142 SUSE bug 870439 SUSE bug 871442 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes. Important CVE-2014-0143 SUSE bug 870439 SUSE bug 871442 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-0144 SUSE bug 870439 SUSE bug 871442 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c). Moderate CVE-2014-0145 SUSE bug 870439 SUSE bug 871442 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapshot_offset and nb_snapshots fields. Moderate CVE-2014-0146 SUSE bug 870439 SUSE bug 871442 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-0147 SUSE bug 870439 SUSE bug 871442 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow. Moderate CVE-2014-0150 SUSE bug 873235 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. Moderate CVE-2014-0155 SUSE bug 824295 SUSE bug 872540 SUSE bug 889071 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1.8, when a certain vfs shadow copy configuration is enabled, does not properly initialize the SRV_SNAPSHOT_ARRAY response field, which allows remote authenticated users to obtain potentially sensitive information from process memory via a (1) FSCTL_GET_SHADOW_COPY_DATA or (2) FSCTL_SRV_ENUMERATE_SNAPSHOTS request. Moderate CVE-2014-0178 SUSE bug 872396 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods. Moderate CVE-2014-0179 SUSE bug 873705 SUSE Linux Enterprise Server 11 SP3 The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program. Moderate CVE-2014-0181 SUSE bug 875051 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. Moderate CVE-2014-0196 SUSE bug 871252 SUSE bug 875690 SUSE bug 876463 SUSE bug 877345 SUSE bug 879878 SUSE bug 933423 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file. Moderate CVE-2014-0207 SUSE bug 884986 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 might allow local users to gain privileges by adding a directory with a large fonts.dir or fonts.alias file to the font path, which triggers a heap-based buffer overflow, related to metadata. Moderate CVE-2014-0209 SUSE bug 857544 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function. Moderate CVE-2014-0210 SUSE bug 857544 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyphs, and (3) fs_read_extent_info functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs reply, which triggers a buffer overflow. Moderate CVE-2014-0211 SUSE bug 857544 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake. Moderate CVE-2014-0221 SUSE bug 880891 SUSE bug 883126 SUSE bug 905106 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. Moderate CVE-2014-0222 SUSE bug 877642 SUSE bug 950367 SUSE bug 964925 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. Moderate CVE-2014-0223 SUSE bug 877645 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. Important CVE-2014-0224 SUSE bug 1146657 SUSE bug 880891 SUSE bug 883126 SUSE bug 885777 SUSE bug 892403 SUSE bug 901237 SUSE bug 905018 SUSE bug 905106 SUSE bug 914447 SUSE bug 915913 SUSE bug 916239 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. Moderate CVE-2014-0226 SUSE bug 887765 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding. Critical CVE-2014-0227 SUSE bug 917127 SUSE bug 926762 SUSE bug 988489 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts. Moderate CVE-2014-0230 SUSE bug 926762 SUSE bug 988489 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor. Moderate CVE-2014-0231 SUSE bug 887768 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. Moderate CVE-2014-0237 SUSE bug 880905 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. Moderate CVE-2014-0238 SUSE bug 880904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sys_recvfrom function in nmbd in Samba 3.6.x before 3.6.24, 4.0.x before 4.0.19, and 4.1.x before 4.1.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed UDP packet. Moderate CVE-2014-0244 SUSE bug 880962 SUSE bug 883758 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java SE Embedded 7u45, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to incorrect permission checks when listening on a socket, which allows attackers to escape the sandbox. Moderate CVE-2014-0368 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to throwing of an incorrect exception when SnmpStatusException should have been used in the SNMP implementation, which allows attackers to escape the sandbox. Moderate CVE-2014-0373 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0403. Moderate CVE-2014-0375 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an improper check for "code permissions when creating document builder factories." Moderate CVE-2014-0376 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML. Moderate CVE-2014-0384 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. Moderate CVE-2014-0386 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2014-0387 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB. Moderate CVE-2014-0393 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors. Moderate CVE-2014-0401 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking. Moderate CVE-2014-0402 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0375. Moderate CVE-2014-0403 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424. Important CVE-2014-0410 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information about encryption keys via a timing discrepancy during the TLS/SSL handshake. Moderate CVE-2014-0411 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. Moderate CVE-2014-0412 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0418, and CVE-2014-0424. Important CVE-2014-0415 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to how principals are set for the Subject class, which allows attackers to escape the sandbox using deserialization of a crafted Subject instance. Moderate CVE-2014-0416 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JavaFX 2.2.45; and Java SE Embedded 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2014-0417 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication. Moderate CVE-2014-0420 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JNDI. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to missing package access checks in the Naming / JNDI component, which allows attackers to escape the sandbox. Moderate CVE-2014-0422 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and availability via unknown vectors related to Beans. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability in DocumentHandler.java, related to Beans decoding. Moderate CVE-2014-0423 SUSE bug 858818 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0418. Moderate CVE-2014-0424 SUSE bug 862064 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via vectors related to FTS. Moderate CVE-2014-0427 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to "insufficient security checks in IIOP streams," which allows attackers to escape the sandbox. Moderate CVE-2014-0428 SUSE bug 858818 SUSE bug 862064 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Moderate CVE-2014-0429 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema. Low CVE-2014-0430 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-5881. Moderate CVE-2014-0431 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.13 and earlier allows remote attackers to affect availability via unknown vectors related to Thread Pooling. Moderate CVE-2014-0433 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. Moderate CVE-2014-0437 SUSE bug 858823 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Moderate CVE-2014-0446 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u51 and 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2014-0448 SUSE bug 877429 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality via unknown vectors related to Deployment. Moderate CVE-2014-0449 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-2412. Moderate CVE-2014-0451 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0458 and CVE-2014-2423. Moderate CVE-2014-0452 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security. Moderate CVE-2014-0453 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. Moderate CVE-2014-0454 SUSE bug 873873 SUSE bug 877429 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-2402. Important CVE-2014-0455 SUSE bug 873873 SUSE bug 877429 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Important CVE-2014-0457 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-2423. Moderate CVE-2014-0458 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect availability via unknown vectors related to 2D. Moderate CVE-2014-0459 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via vectors related to JNDI. Moderate CVE-2014-0460 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Important CVE-2014-0461 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The fixps script in a2ps 4.14 does not use the -dSAFER option when executing gs, which allows context-dependent attackers to delete arbitrary files or execute arbitrary commands via a crafted PostScript file. Moderate CVE-2014-0466 SUSE bug 871097 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in copy.c in Mutt before 1.5.23 allows remote attackers to cause a denial of service (crash) via a crafted RFC2047 header line, related to address expansion. Moderate CVE-2014-0467 SUSE bug 868115 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable. Moderate CVE-2014-0475 SUSE bug 887022 SUSE bug 896776 SUSE bug 916222 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature. Moderate CVE-2014-0591 SUSE bug 858639 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The IBMSecureRandom component in the IBMJCE and IBMSecureRandom cryptographic providers in IBM SDK Java Technology Edition 5.0 before Service Refresh 16 FP6, 6 before Service Refresh 16, 6.0.1 before Service Refresh 8, 7 before Service Refresh 7, and 7R1 before Service Refresh 1 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by predicting the random number generator's output. Important CVE-2014-0878 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. Moderate CVE-2014-1444 SUSE bug 858869 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. Moderate CVE-2014-1445 SUSE bug 858870 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. Moderate CVE-2014-1446 SUSE bug 858872 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a keepalive response is sent. Moderate CVE-2014-1447 SUSE bug 858817 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2014-1477 SUSE bug 861847 SUSE bug 862345 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The System Only Wrapper (SOW) implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent certain cloning operations, which allows remote attackers to bypass intended restrictions on XUL content via vectors involving XBL content scopes. Moderate CVE-2014-1479 SUSE bug 861847 SUSE bug 862348 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended launching of a downloaded file, via a crafted web site. Moderate CVE-2014-1480 SUSE bug 861847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allow remote attackers to bypass intended restrictions on window objects by leveraging inconsistency in native getter methods across different JavaScript engines. Moderate CVE-2014-1481 SUSE bug 861847 SUSE bug 862309 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA RasterImage.cpp in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent access to discarded data, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect write operations) via crafted image data, as demonstrated by Goo Create. Important CVE-2014-1482 SUSE bug 861847 SUSE bug 862356 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint functions. Moderate CVE-2014-1483 SUSE bug 861847 SUSE bug 862360 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 27.0 on Android 4.2 and earlier creates system-log entries containing profile paths, which allows attackers to obtain sensitive information via a crafted application. Moderate CVE-2014-1484 SUSE bug 861847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Content Security Policy (CSP) implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions. Moderate CVE-2014-1485 SUSE bug 861847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data. Important CVE-2014-1486 SUSE bug 861847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages. Moderate CVE-2014-1487 SUSE bug 861847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Web workers implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving termination of a worker process that has performed a cross-thread object-passing operation in conjunction with use of asm.js. Important CVE-2014-1488 SUSE bug 861847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 27.0 does not properly restrict access to about:home buttons by script on other pages, which allows user-assisted remote attackers to cause a denial of service (session restore) via a crafted web site. Moderate CVE-2014-1489 SUSE bug 861847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket. Moderate CVE-2014-1490 SUSE bug 861847 SUSE bug 862300 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value. Moderate CVE-2014-1491 SUSE bug 861847 SUSE bug 862289 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2014-1493 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2014-1494 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 might allow local users to gain privileges by modifying the extracted Mar contents during an update. Moderate CVE-2014-1496 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The mozilla::WaveReader::DecodeAudioData function in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive information from process heap memory, cause a denial of service (out-of-bounds read and application crash), or possibly have unspecified other impact via a crafted WAV file. Moderate CVE-2014-1497 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The crypto.generateCRMFRequest method in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not properly validate a certain key type, which allows remote attackers to cause a denial of service (application crash) via vectors that trigger generation of a key that supports the Elliptic Curve ec-dual-use algorithm. Moderate CVE-2014-1498 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to spoof the domain name in the WebRTC (1) camera or (2) microphone permission prompt by triggering navigation at a certain time during generation of this prompt. Moderate CVE-2014-1499 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to cause a denial of service (resource consumption and application hang) via onbeforeunload events that trigger background JavaScript execution. Moderate CVE-2014-1500 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 28.0 on Android allows remote attackers to bypass the Same Origin Policy and access arbitrary file: URLs via vectors involving the "Open Link in New Tab" menu selection. Moderate CVE-2014-1501 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) WebGL.compressedTexImage2D and (2) WebGL.compressedTexSubImage2D functions in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to bypass the Same Origin Policy and render content in a different domain via unspecified vectors. Moderate CVE-2014-1502 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The session-restore feature in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not consider the Content Security Policy of a data: URL, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document that is accessed after a browser restart. Moderate CVE-2014-1504 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SVG filter implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive displacement-correlation information, and possibly bypass the Same Origin Policy and read text from a different domain, via a timing attack involving feDisplacementMap elements, a related issue to CVE-2013-1693. Moderate CVE-2014-1505 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The libxul.so!gfxContext::Polygon function in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive information from process memory, cause a denial of service (out-of-bounds read and application crash), or possibly bypass the Same Origin Policy via vectors involving MathML polygon rendering. Moderate CVE-2014-1508 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the _cairo_truetype_index_to_ucs4 function in cairo, as used in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25, allows remote attackers to execute arbitrary code via a crafted extension that renders fonts in a PDF document. Moderate CVE-2014-1509 SUSE bug 868603 SUSE bug 869339 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to execute arbitrary JavaScript code with chrome privileges by using an IDL fragment to trigger a window.open call. Moderate CVE-2014-1510 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remote attackers to bypass the popup blocker via unspecified vectors. Moderate CVE-2014-1511 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the TypeObject class in the JavaScript engine in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to execute arbitrary code by triggering extensive memory consumption while garbage collection is occurring, as demonstrated by improper handling of BumpChunk objects. Moderate CVE-2014-1512 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA TypedArrayObject.cpp in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 does not prevent a zero-length transition during use of an ArrayBuffer object, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based out-of-bounds write or read) via a crafted web site. Moderate CVE-2014-1513 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA vmtypedarrayobject.cpp in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 does not validate the length of the destination array before a copy operation, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write and application crash) by triggering incorrect use of the TypedArrayObject class. Moderate CVE-2014-1514 SUSE bug 868603 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2014-1518 SUSE bug 875803 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA maintenservice_installer.exe in the Maintenance Service Installer in Mozilla Firefox before 29.0 and Firefox ESR 24.x before 24.5 on Windows allows local users to gain privileges by placing a Trojan horse DLL file into a temporary directory at an unspecified point in the update process. Moderate CVE-2014-1520 SUSE bug 875803 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the read_u32 function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG image. Moderate CVE-2014-1523 SUSE bug 875803 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nsXBLProtoImpl::InstallImplementation function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 does not properly check whether objects are XBL objects, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted JavaScript code that accesses a non-XBL object as if it were an XBL object. Important CVE-2014-1524 SUSE bug 875803 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted. Important CVE-2014-1529 SUSE bug 875803 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The docshell implementation in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to trigger the loading of a URL with a spoofed baseURI property, and conduct cross-site scripting (XSS) attacks, via a crafted web site that performs history navigation. Moderate CVE-2014-1530 SUSE bug 875378 SUSE bug 875803 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsGenericHTMLElement::GetWidthHeightForImage function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving an imgLoader object that is not properly handled during an image-resize operation. Important CVE-2014-1531 SUSE bug 875803 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsHostResolver::ConditionallyRefreshRecord function in libxul.so in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors related to host resolution. Important CVE-2014-1532 SUSE bug 875803 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird before 24.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2014-1533 SUSE bug 881874 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 30.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2014-1534 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The PropertyProvider::FindJustificationRange function in Mozilla Firefox before 30.0 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. Important CVE-2014-1536 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the mozilla::dom::workers::WorkerPrivateParent function in Mozilla Firefox before 30.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Important CVE-2014-1537 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsTextEditRules::CreateMozBR function in Mozilla Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird before 24.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. Important CVE-2014-1538 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the RefreshDriverTimer::TickDriver function in the SMIL Animation Controller in Mozilla Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird before 24.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via crafted web content. Important CVE-2014-1541 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain. Moderate CVE-2014-1544 SUSE bug 887746 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions. Moderate CVE-2014-1545 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2014-1547 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2014-1548 SUSE bug 887746 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsDocLoader::OnProgress function in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allows remote attackers to execute arbitrary code via vectors that trigger a FireOnStateChange event. Moderate CVE-2014-1555 SUSE bug 887746 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to execute arbitrary code via crafted WebGL content constructed with the Cesium JavaScript library. Moderate CVE-2014-1556 SUSE bug 887746 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ConvolveHorizontally function in Skia, as used in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, does not properly handle the discarding of image data during function execution, which allows remote attackers to execute arbitrary code by triggering prolonged image scaling, as demonstrated by scaling of a high-quality image. Moderate CVE-2014-1557 SUSE bug 887746 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the browser engine in Mozilla Firefox before 32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and Thunderbird 24.x before 24.8 and 31.x before 31.1 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2014-1562 SUSE bug 894370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in DirectionalityUtils.cpp in Mozilla Firefox before 32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and Thunderbird 24.x before 24.8 and 31.x before 31.1 allows remote attackers to execute arbitrary code via text that is improperly handled during the interaction between directionality resolution and layout. Important CVE-2014-1567 SUSE bug 894370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue. Moderate CVE-2014-1568 SUSE bug 1107874 SUSE bug 897890 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00. Moderate CVE-2014-1569 SUSE bug 910647 SUSE bug 913096 SUSE bug 917597 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2014-1574 SUSE bug 900941 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 33.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to improper interaction between threading and garbage collection in the GCRuntime::triggerGC function in js/src/jsgc.cpp, and unknown other vectors. Moderate CVE-2014-1575 SUSE bug 900941 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the nsTransformedTextRun function in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allows remote attackers to execute arbitrary code via Cascading Style Sheets (CSS) token sequences that trigger changes to capitalization style. Moderate CVE-2014-1576 SUSE bug 900941 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The mozilla::dom::OscillatorNodeEngine::ComputeCustom function in the Web Audio subsystem in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read, memory corruption, and application crash) via an invalid custom waveform that triggers a calculation of a negative frequency value. Moderate CVE-2014-1577 SUSE bug 900941 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The get_tile function in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly execute arbitrary code via WebM frames with invalid tile sizes that are improperly handled in buffering operations during video playback. Moderate CVE-2014-1578 SUSE bug 900941 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in DirectionalityUtils.cpp in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allows remote attackers to execute arbitrary code via text that is improperly handled during the interaction between directionality resolution and layout. Moderate CVE-2014-1581 SUSE bug 900941 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x before 31.2 does not properly restrict toJSON calls, which allows remote attackers to bypass the Same Origin Policy via crafted API calls that access sensitive information within the JSON data of an alarm. Moderate CVE-2014-1583 SUSE bug 900941 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The WebRTC video-sharing feature in dom/media/MediaManager.cpp in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 does not properly recognize Stop Sharing actions for videos in IFRAME elements, which allows remote attackers to obtain sensitive information from the local camera by maintaining a session after the user tries to discontinue streaming. Moderate CVE-2014-1585 SUSE bug 900941 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA content/base/src/nsDocument.cpp in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 does not consider whether WebRTC video sharing is occurring, which allows remote attackers to obtain sensitive information from the local camera in certain IFRAME situations by maintaining a session after the user temporarily navigates away. Moderate CVE-2014-1586 SUSE bug 900941 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2014-1587 SUSE bug 908009 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2014-1588 SUSE bug 908009 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 34.0 and SeaMonkey before 2.31 provide stylesheets with an incorrect primary namespace, which allows remote attackers to bypass intended access restrictions via an XBL binding. Moderate CVE-2014-1589 SUSE bug 908009 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The XMLHttpRequest.prototype.send method in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to cause a denial of service (application crash) via a crafted JavaScript object. Moderate CVE-2014-1590 SUSE bug 908009 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox 33.0 and SeaMonkey before 2.31 include path strings in CSP violation reports, which allows remote attackers to obtain sensitive information via a web site that receives a report after a redirect. Moderate CVE-2014-1591 SUSE bug 908009 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsHtml5TreeOperation function in xul.dll in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to execute arbitrary code by adding a second root element to an HTML5 document during parsing. Important CVE-2014-1592 SUSE bug 908009 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the mozilla::FileBlockCache::Read function in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to execute arbitrary code via crafted media content. Important CVE-2014-1593 SUSE bug 908009 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 might allow remote attackers to execute arbitrary code by leveraging an incorrect cast from the BasicThebesLayer data type to the BasicContainerLayer data type. Moderate CVE-2014-1594 SUSE bug 908009 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by credential information. Moderate CVE-2014-1595 SUSE bug 908009 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for use, which allows local guest administrators to cause a denial of service (memory corruption and hypervisor crash) and possibly execute arbitrary code via vectors related to an out-of-memory error that triggers a (1) use-after-free or (2) double free. Moderate CVE-2014-1642 SUSE bug 858496 SUSE bug 860092 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors. Moderate CVE-2014-1666 SUSE bug 860302 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. Moderate CVE-2014-1737 SUSE bug 875798 SUSE bug 877345 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device. Moderate CVE-2014-1738 SUSE bug 875798 SUSE bug 877345 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. Moderate CVE-2014-1739 SUSE bug 882804 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context. Moderate CVE-2014-1874 SUSE bug 863335 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, 7, and 8; Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 does not securely create temporary files when a log file cannot be opened, which allows local users to overwrite arbitrary files via a symlink attack on /tmp/unpack.log. Moderate CVE-2014-1876 SUSE bug 863305 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. Moderate CVE-2014-1878 SUSE bug 864843 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the (1) FLASK_GETBOOL, (2) FLASK_SETBOOL, (3) FLASK_USER, and (4) FLASK_CONTEXT_TO_SID suboperations in the flask hypercall in Xen 4.3.x, 4.2.x, 4.1.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1892, CVE-2014-1893, and CVE-2014-1894. Moderate CVE-2014-1891 SUSE bug 860163 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause a denial of service via vectors related to a "large memory allocation," a different vulnerability than CVE-2014-1891, CVE-2014-1893, and CVE-2014-1894. Moderate CVE-2014-1892 SUSE bug 860163 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the (1) FLASK_GETBOOL and (2) FLASK_SETBOOL suboperations in the flask hypercall in Xen 4.1.x, 3.3.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1894. Moderate CVE-2014-1893 SUSE bug 860163 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in unspecified suboperations in the flask hypercall in Xen 3.2.x and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1893. Moderate CVE-2014-1894 SUSE bug 860163 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read. Moderate CVE-2014-1895 SUSE bug 860165 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen 4.2.x, 4.3.x, and 4.4-RC series allows local guests to cause a denial of service or possibly gain privileges via crafted xenstore ring indexes, which triggers a "read or write past the end of the ring." Moderate CVE-2014-1896 SUSE bug 860300 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string. Important CVE-2014-1912 SUSE bug 1049392 SUSE bug 1049422 SUSE bug 863741 SUSE bug 882915 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file. Moderate CVE-2014-1932 SUSE bug 863541 SUSE bug 921566 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes. Moderate CVE-2014-1933 SUSE bug 863541 SUSE bug 921566 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-1947 SUSE bug 863838 SUSE bug 905260 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack, does not properly handle a failure by the xc_cpumap_alloc function, which allows local users with access to management functions to cause a denial of service (heap corruption) and possibly gain privileges via unspecified vectors. Moderate CVE-2014-1950 SUSE bug 861256 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the normify function in the rlm_pap module (modules/rlm_pap/rlm_pap.c) in FreeRADIUS 2.x, possibly 2.2.3 and earlier, and 3.x, possibly 3.0.1 and earlier, might allow attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password hash, as demonstrated by an SSHA hash. Moderate CVE-2014-2015 SUSE bug 864576 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable. Moderate CVE-2014-2270 SUSE bug 866750 SUSE bug 883306 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nfs_name_snoop_add_name function in epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 does not validate a certain length value, which allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted NFS packet. Moderate CVE-2014-2281 SUSE bug 867485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_protocol_data_parameter function in epan/dissectors/packet-m3ua.c in the M3UA dissector in Wireshark 1.10.x before 1.10.6 does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) via a crafted SS7 MTP3 packet. Moderate CVE-2014-2282 SUSE bug 867485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-rlc in the RLC dissector in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 uses inconsistent memory-management approaches, which allows remote attackers to cause a denial of service (use-after-free error and application crash) via a crafted UMTS Radio Link Control packet. Moderate CVE-2014-2283 SUSE bug 867485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5.5.2.1, 5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does not properly validate input, which allows remote attackers to cause a denial of service via unspecified vectors. Moderate CVE-2014-2284 SUSE bug 866942 SUSE bug 875217 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data. Moderate CVE-2014-2299 SUSE bug 867485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. Moderate CVE-2014-2309 SUSE bug 824295 SUSE bug 867531 SUSE bug 889071 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The AgentX subagent in Net-SNMP before 5.4.4 allows remote attackers to cause a denial of service (hang) by sending a multi-object request with an Object ID (OID) containing more subids than previous requests, a different vulnerability than CVE-2012-6151. Moderate CVE-2014-2310 SUSE bug 867349 SUSE bug 875217 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypass authentication by rekeying an IKE_SA during (1) initiation or (2) re-authentication, which triggers the IKE_SA state to be set to established. Moderate CVE-2014-2338 SUSE bug 870572 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and JRockit R27.8.1 and R28.3.1 allows remote authenticated users to affect integrity via unknown vectors related to Javadoc. Low CVE-2014-2398 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality via unknown vectors related to 2D. Moderate CVE-2014-2401 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-0455. Moderate CVE-2014-2402 SUSE bug 873873 SUSE bug 877429 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment. Moderate CVE-2014-2409 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, SE 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-0451. Moderate CVE-2014-2412 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXB. Moderate CVE-2014-2414 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. Moderate CVE-2014-2419 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Deployment. Low CVE-2014-2420 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2014-2421 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-0458. Moderate CVE-2014-2423 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. Moderate CVE-2014-2427 SUSE bug 873872 SUSE bug 873873 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2014-2428 SUSE bug 877429 SUSE bug 877430 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema. Moderate CVE-2014-2430 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options. Moderate CVE-2014-2431 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated. Moderate CVE-2014-2432 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to DML. Moderate CVE-2014-2434 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. Moderate CVE-2014-2435 SUSE bug 1021755 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR. Moderate CVE-2014-2436 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication. Moderate CVE-2014-2438 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Moderate CVE-2014-2440 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to MyISAM. Moderate CVE-2014-2442 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to InnoDB. Moderate CVE-2014-2444 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. Moderate CVE-2014-2450 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Privileges. Moderate CVE-2014-2451 SUSE bug 873896 SUSE bug 999706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRFTS. Moderate CVE-2014-2484 SUSE bug 887580 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to ENARC. Moderate CVE-2014-2494 SUSE bug 887580 SUSE bug 915914 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file. Low CVE-2014-2497 SUSE bug 868624 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. Important CVE-2014-2523 SUSE bug 868653 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA kcleanup.cpp in KDirStat 2.7.0 does not properly quote strings when deleting a directory, which allows remote attackers to execute arbitrary commands via a " (double quote) character in the directory name, a different vulnerability than CVE-2014-2528. Moderate CVE-2014-2527 SUSE bug 868682 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA kcleanup.cpp in KDirStat 2.7.3 does not properly quote strings when deleting a directory, which allows remote attackers to execute arbitrary commands via a ' (single quote) character in the directory name, a different vulnerability than CVE-2014-2527. Moderate CVE-2014-2528 SUSE bug 868682 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. Moderate CVE-2014-2532 SUSE bug 1074631 SUSE bug 869101 SUSE bug 890850 SUSE bug 915834 SUSE bug 916239 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create arbitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty function, which is used by the format_timestamp_name function. Moderate CVE-2014-2583 SUSE bug 870433 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bit and 4.1.x through 4.4.x for 64-bit allow local guest administrators to cause a denial of service (CPU consumption) by leveraging access to certain service domains for HVM guests and a large input. Moderate CVE-2014-2599 SUSE bug 867910 SUSE bug 880751 SUSE bug 903970 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. Moderate CVE-2014-2678 SUSE bug 871561 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c. Moderate CVE-2014-2706 SUSE bug 871797 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in cifskey.c or cifscreds.c in cifs-utils before 6.4, as used in pam_cifscreds, allows remote attackers to have unspecified impact via unknown vectors. Moderate CVE-2014-2830 SUSE bug 870168 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter. Moderate CVE-2014-2851 SUSE bug 824295 SUSE bug 873374 SUSE bug 889071 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA strongSwan before 5.1.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a crafted ID_DER_ASN1_DN ID payload. Important CVE-2014-2891 SUSE bug 876449 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption. Moderate CVE-2014-2894 SUSE bug 874749 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments. Important CVE-2014-2913 SUSE bug 874743 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via vectors related to the shared classes cache. Moderate CVE-2014-3065 SUSE bug 904889 SUSE bug 930365 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings. Moderate CVE-2014-3122 SUSE bug 824295 SUSE bug 876102 SUSE bug 889071 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced. Moderate CVE-2014-3144 SUSE bug 824295 SUSE bug 877257 SUSE bug 889071 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. Moderate CVE-2014-3145 SUSE bug 824295 SUSE bug 877257 SUSE bug 889071 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function. Moderate CVE-2014-3146 SUSE bug 1118088 SUSE bug 877258 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. Important CVE-2014-3153 SUSE bug 877775 SUSE bug 880892 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the getword function in options.c in pppd in Paul's PPP Package (ppp) before 2.4.7 allows attackers to "access privileged options" via a long word in an options file, which triggers a heap-based buffer overflow that "[corrupts] security-relevant variables." Moderate CVE-2014-3158 SUSE bug 891489 SUSE bug 969773 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event. Moderate CVE-2014-3181 SUSE bug 896382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 might allow physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c. Moderate CVE-2014-3184 SUSE bug 896390 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allow physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response. Moderate CVE-2014-3185 SUSE bug 896391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report. Moderate CVE-2014-3186 SUSE bug 896392 SUSE Linux Enterprise Server 11 SP3-TERADATA seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions, and executes programs in a way that changes the relationship between the setuid system call and the getresuid saved set-user-ID value, which makes it easier for local users to gain privileges by leveraging a program that mistakenly expected that it could permanently drop privileges. Moderate CVE-2014-3215 SUSE bug 876832 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine. Moderate CVE-2014-3248 SUSE bug 879913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4. Moderate CVE-2014-3250 SUSE bug 879913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA lisp/gnus/gnus-fun.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/gnus.face.ppm temporary file. Moderate CVE-2014-3421 SUSE bug 876847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA lisp/emacs-lisp/find-gc.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file under /tmp/esrc/. Moderate CVE-2014-3422 SUSE bug 876847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA lisp/net/browse-url.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/Mosaic.##### temporary file. Moderate CVE-2014-3423 SUSE bug 876847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA lisp/net/tramp-sh.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/tramp.##### temporary file. Moderate CVE-2014-3424 SUSE bug 876847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks." Moderate CVE-2014-3461 SUSE bug 878541 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message. Moderate CVE-2014-3466 SUSE bug 880730 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data. Moderate CVE-2014-3467 SUSE bug 880737 SUSE bug 880910 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data. Moderate CVE-2014-3468 SUSE bug 880735 SUSE bug 880910 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument. Moderate CVE-2014-3469 SUSE bug 880738 SUSE bug 880910 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value. Moderate CVE-2014-3470 SUSE bug 880891 SUSE bug 883126 SUSE bug 885777 SUSE bug 905106 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service. Moderate CVE-2014-3477 SUSE bug 1010769 SUSE bug 881137 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion. Moderate CVE-2014-3478 SUSE bug 884987 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file. Moderate CVE-2014-3479 SUSE bug 884989 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. Moderate CVE-2014-3480 SUSE bug 884990 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. Moderate CVE-2014-3487 SUSE bug 884991 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The push_ascii function in smbd in Samba 3.6.x before 3.6.24, 4.0.x before 4.0.19, and 4.1.x before 4.1.9 allows remote authenticated users to cause a denial of service (memory corruption and daemon crash) via an attempt to read a Unicode pathname without specifying use of Unicode, leading to a character-set conversion failure that triggers an invalid pointer dereference. Moderate CVE-2014-3493 SUSE bug 878642 SUSE bug 880962 SUSE bug 883758 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition. Important CVE-2014-3505 SUSE bug 890759 SUSE bug 890764 SUSE bug 890767 SUSE bug 905106 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values. Important CVE-2014-3506 SUSE bug 890759 SUSE bug 890764 SUSE bug 890768 SUSE bug 905106 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function. Important CVE-2014-3507 SUSE bug 890759 SUSE bug 890764 SUSE bug 890769 SUSE bug 905106 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions. Important CVE-2014-3508 SUSE bug 890759 SUSE bug 890764 SUSE bug 905106 SUSE bug 950708 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite. Important CVE-2014-3510 SUSE bug 890759 SUSE bug 890764 SUSE bug 890770 SUSE bug 905106 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage. Moderate CVE-2014-3515 SUSE bug 884992 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/. Moderate CVE-2014-3537 SUSE bug 887240 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line lengths in a specific order." Moderate CVE-2014-3564 SUSE bug 890123 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is used, allows remote attackers to cause a denial of service (snmptrapd crash) via a crafted SNMP trap message, which triggers a conversion to the variable type designated in the MIB file, as demonstrated by a NULL type in an ifMtu trap message. Moderate CVE-2014-3565 SUSE bug 894361 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. Moderate CVE-2014-3566 SUSE bug 1011293 SUSE bug 1031023 SUSE bug 901223 SUSE bug 901254 SUSE bug 901277 SUSE bug 901748 SUSE bug 901757 SUSE bug 901759 SUSE bug 901889 SUSE bug 901968 SUSE bug 902229 SUSE bug 902476 SUSE bug 902912 SUSE bug 903405 SUSE bug 903684 SUSE bug 903690 SUSE bug 903692 SUSE bug 904889 SUSE bug 905106 SUSE bug 914041 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure. Important CVE-2014-3567 SUSE bug 877506 SUSE bug 901277 SUSE bug 902912 SUSE bug 903690 SUSE bug 903692 SUSE bug 905106 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c. Low CVE-2014-3568 SUSE bug 901277 SUSE bug 902912 SUSE bug 905106 SUSE bug 911399 SUSE bug 986238 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix. Moderate CVE-2014-3569 SUSE bug 911399 SUSE bug 920339 SUSE bug 927623 SUSE bug 986238 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c. Moderate CVE-2014-3570 SUSE bug 912296 SUSE bug 920339 SUSE bug 927623 SUSE bug 937891 SUSE bug 944456 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c. Moderate CVE-2014-3571 SUSE bug 912294 SUSE bug 920339 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message. Moderate CVE-2014-3572 SUSE bug 912015 SUSE bug 920339 SUSE bug 927623 SUSE bug 937891 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header. Low CVE-2014-3581 SUSE bug 899836 SUSE bug 914956 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571. Moderate CVE-2014-3587 SUSE bug 987530 SUSE bug 998845 SUSE OpenStack Cloud 5 PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size. Moderate CVE-2014-3589 SUSE bug 921566 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-3591 SUSE bug 920057 SUSE bug 949135 SUSE Linux Enterprise Server 11 SP3-TERADATA The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. Moderate CVE-2014-3596 SUSE bug 1134598 SUSE OpenStack Cloud 5 The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image. Moderate CVE-2014-3598 SUSE bug 921566 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages. Moderate CVE-2014-3601 SUSE bug 892782 SUSE bug 902675 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values." Moderate CVE-2014-3609 SUSE bug 893649 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c. Moderate CVE-2014-3610 SUSE bug 899192 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation. Important CVE-2014-3611 SUSE bug 899192 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. Moderate CVE-2014-3613 SUSE bug 894575 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution. Moderate CVE-2014-3615 SUSE bug 895528 SUSE bug 918998 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted email header, related to "unbalanced quotes." Moderate CVE-2014-3618 SUSE bug 1068648 SUSE bug 894999 SUSE bug 898303 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read. Low CVE-2014-3633 SUSE bug 897783 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA rsyslog before 7.6.6 and 8.x before 8.4.1 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash), possibly execute arbitrary code, or have other unspecified impact via a crafted priority (PRI) value that triggers an out-of-bounds array access. Important CVE-2014-3634 SUSE bug 897262 SUSE bug 899756 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls. Moderate CVE-2014-3638 SUSE bug 896453 SUSE bug 902912 SUSE bug 903055 SUSE bug 903057 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket. CVE-2014-3640 SUSE bug 897654 SUSE bug 965112 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. Moderate CVE-2014-3646 SUSE bug 899192 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. Moderate CVE-2014-3647 SUSE bug 1013038 SUSE bug 1134834 SUSE bug 899192 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The virDomainListPopulate function in conf/domain_conf.c in libvirt before 1.2.9 does not clean up the lock on the list of domains, which allows remote attackers to cause a denial of service (deadlock) via a NULL value in the second parameter in the virConnectListAllDomains API command. Moderate CVE-2014-3657 SUSE bug 897783 SUSE bug 899484 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack. Moderate CVE-2014-3660 SUSE bug 1123919 SUSE bug 901546 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation. Moderate CVE-2014-3668 SUSE bug 902368 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value. Moderate CVE-2014-3669 SUSE bug 902360 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function. Moderate CVE-2014-3670 SUSE bug 902357 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr. Moderate CVE-2014-3672 SUSE bug 981264 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c. Important CVE-2014-3673 SUSE bug 902346 SUSE bug 902349 SUSE bug 904899 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet. Moderate CVE-2014-3675 SUSE bug 889332 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option." Moderate CVE-2014-3676 SUSE bug 889332 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption. Moderate CVE-2014-3677 SUSE bug 889332 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in rsyslog before 7.6.7 and 8.x before 8.4.2 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash) via a large priority (PRI) value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3634. Moderate CVE-2014-3683 SUSE bug 897262 SUSE bug 899756 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpa_cli or hostapd_cli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame. Moderate CVE-2014-3686 SUSE bug 1063667 SUSE bug 900611 SUSE bug 915323 SUSE Linux Enterprise Server 11 SP3 The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter. Important CVE-2014-3687 SUSE bug 902349 SUSE bug 904899 SUSE bug 909208 SUSE Linux Enterprise Server 11 SP3 The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c. Important CVE-2014-3688 SUSE bug 902351 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling. Moderate CVE-2014-3689 SUSE bug 901508 SUSE bug 962611 SUSE Linux Enterprise Server 11 SP3 arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU. Moderate CVE-2014-3690 SUSE bug 902232 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. Moderate CVE-2014-3707 SUSE bug 901924 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. Moderate CVE-2014-3710 SUSE bug 902367 SUSE bug 910252 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. Moderate CVE-2014-3917 SUSE bug 880484 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sm_close_on_exec function in conf.c in sendmail before 8.14.9 has arguments in the wrong order, and consequently skips setting expected FD_CLOEXEC flags, which allows local users to access unintended high-numbered file descriptors via a custom mail-delivery program. Low CVE-2014-3956 SUSE bug 881284 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not properly check the return value from the IRQ setup check, which allows local HVM guest administrators to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors. Moderate CVE-2014-3967 SUSE bug 878841 SUSE bug 880751 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows local guest HVM administrators to cause a denial of service (host crash) via a large number of crafted requests, which trigger an error messages to be logged. Moderate CVE-2014-3968 SUSE bug 878841 SUSE bug 880751 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of service (assertion failure and abort) via an empty UDP packet. CVE-2014-3970 SUSE bug 881524 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from guests, which allows local guest OS users to obtain sensitive information via unspecified vectors. Moderate CVE-2014-4021 SUSE bug 880751 SUSE bug 903970 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. Moderate CVE-2014-4027 SUSE bug 882639 SUSE Linux Enterprise Server 11 SP3 ppc64-diag 2.6.1 allows local users to overwrite arbitrary files via a symlink attack related to (1) rtas_errd/diag_support.c and /tmp/get_dt_files, (2) scripts/ppc64_diag_mkrsrc and /tmp/diagSEsnap/snapH.tar.gz, or (3) lpd/test/lpd_ela_test.sh and /var/tmp/ras. Moderate CVE-2014-4038 SUSE bug 882667 SUSE Linux Enterprise Server 11 SP3 ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does not properly restrict permissions for /tmp/diagSEsnap/snapH.tar.gz, which allows local users to obtain sensitive information by reading files in this archive, as demonstrated by /var/log/messages and /etc/yaboot.conf. Moderate CVE-2014-4039 SUSE bug 882667 SUSE Linux Enterprise Server 11 SP3 snap in powerpc-utils 1.2.20 produces an archive with fstab and yaboot.conf files potentially containing cleartext passwords, and lacks a warning about reviewing this archive to detect included passwords, which might allow remote attackers to obtain sensitive information by leveraging access to a technical-support data stream. Moderate CVE-2014-4040 SUSE bug 883174 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities. Moderate CVE-2014-4043 SUSE bug 882600 SUSE bug 939797 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function. Moderate CVE-2014-4049 SUSE bug 882992 SUSE bug 893853 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. Moderate CVE-2014-4171 SUSE bug 883518 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to SROPTZR. Moderate CVE-2014-4207 SUSE bug 887580 SUSE bug 915914 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4220. Moderate CVE-2014-4208 SUSE bug 887530 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX. Moderate CVE-2014-4209 SUSE bug 887530 SUSE bug 891699 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SRSP. Moderate CVE-2014-4214 SUSE bug 887580 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries. Moderate CVE-2014-4218 SUSE bug 887530 SUSE bug 891699 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. Moderate CVE-2014-4219 SUSE bug 887530 SUSE bug 891699 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4208. Moderate CVE-2014-4220 SUSE bug 887530 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. Moderate CVE-2014-4221 SUSE bug 887530 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2014-4227 SUSE bug 887530 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SRREP. Moderate CVE-2014-4233 SUSE bug 887580 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows remote authenticated users to affect availability via vectors related to SROPTZR. Moderate CVE-2014-4238 SUSE bug 887580 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.17 and earlier allows local users to affect confidentiality and integrity via vectors related to SRREP. Moderate CVE-2014-4240 SUSE bug 887580 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to ENFED. Moderate CVE-2014-4243 SUSE bug 887580 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security. Moderate CVE-2014-4244 SUSE bug 887530 SUSE bug 891699 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security. Moderate CVE-2014-4252 SUSE bug 887530 SUSE bug 891699 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC. Moderate CVE-2014-4258 SUSE bug 887580 SUSE bug 915914 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier, and 5.6.17 and earlier, allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR. Moderate CVE-2014-4260 SUSE bug 887580 SUSE bug 915914 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Moderate CVE-2014-4262 SUSE bug 887530 SUSE bug 891699 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement." Moderate CVE-2014-4263 SUSE bug 887530 SUSE bug 891699 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment. Moderate CVE-2014-4265 SUSE bug 887530 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Serviceability. Moderate CVE-2014-4266 SUSE bug 887530 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing. Moderate CVE-2014-4268 SUSE bug 887530 SUSE bug 891699 SUSE bug 891700 SUSE bug 891701 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to SERVER:MyISAM. Moderate CVE-2014-4274 SUSE bug 857678 SUSE bug 896400 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:CHARACTER SETS. Moderate CVE-2014-4287 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532. Moderate CVE-2014-4288 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function. Moderate CVE-2014-4330 SUSE bug 896715 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session. Moderate CVE-2014-4341 SUSE bug 770172 SUSE bug 886016 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session. Moderate CVE-2014-4342 SUSE bug 770172 SUSE bug 886016 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator. Moderate CVE-2014-4343 SUSE bug 770172 SUSE bug 888697 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation. Moderate CVE-2014-4344 SUSE bug 888697 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the krb5_encode_krbsecretkey function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) 1.6.x through 1.11.x before 1.11.6 and 1.12.x before 1.12.2 allows remote authenticated users to cause a denial of service (buffer overflow) or possibly execute arbitrary code via a series of "cpw -keepold" commands. Important CVE-2014-4345 SUSE bug 770172 SUSE bug 891082 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. Moderate CVE-2014-4508 SUSE bug 883724 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-4607 SUSE bug 883947 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype." Moderate CVE-2014-4608 SUSE bug 883948 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. Moderate CVE-2014-4617 SUSE bug 884130 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-4650 SUSE bug 885882 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. Low CVE-2014-4652 SUSE bug 883795 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. Moderate CVE-2014-4653 SUSE bug 883795 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. Moderate CVE-2014-4654 SUSE bug 883795 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. Moderate CVE-2014-4655 SUSE bug 883795 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. Moderate CVE-2014-4656 SUSE bug 883795 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. Moderate CVE-2014-4667 SUSE bug 885422 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments. Moderate CVE-2014-4670 SUSE bug 886059 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments. Moderate CVE-2014-4698 SUSE bug 886060 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. Moderate CVE-2014-4699 SUSE bug 885725 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702. Low CVE-2014-4701 SUSE bug 885205 SUSE bug 885207 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4701. Low CVE-2014-4702 SUSE bug 885207 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php. Moderate CVE-2014-4721 SUSE bug 885961 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. Important CVE-2014-4877 SUSE bug 902709 SUSE bug 910180 SUSE bug 911056 SUSE bug 915835 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. Important CVE-2014-4943 SUSE bug 887082 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537. CVE-2014-5029 SUSE bug 887240 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. CVE-2014-5030 SUSE bug 887240 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors. CVE-2014-5031 SUSE bug 887240 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in libgfortran might allow remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation. Moderate CVE-2014-5044 SUSE bug 888791 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. Important CVE-2014-5077 SUSE bug 889173 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Low CVE-2014-5118 SUSE bug 1068390 SUSE bug 889339 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules. Moderate CVE-2014-5119 SUSE bug 892073 SUSE bug 903057 SUSE bug 916222 SUSE bug 920055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576. Moderate CVE-2014-5270 SUSE bug 892464 SUSE bug 920057 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. Moderate CVE-2014-5351 SUSE bug 897874 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind. Moderate CVE-2014-5352 SUSE bug 1005509 SUSE bug 770172 SUSE bug 912002 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. Low CVE-2014-5353 SUSE bug 910457 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command. Low CVE-2014-5354 SUSE bug 910458 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c. Moderate CVE-2014-5355 SUSE bug 770172 SUSE bug 918595 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions. Moderate CVE-2014-5459 SUSE bug 893849 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry. Moderate CVE-2014-5471 SUSE bug 892490 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry. Moderate CVE-2014-5472 SUSE bug 892490 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GNU C Library (aka glibc) before 2.20 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a multibyte character value of "0xffff" to the iconv function when converting (1) IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8. Moderate CVE-2014-6040 SUSE bug 894553 SUSE bug 903057 SUSE bug 916222 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer overflow. Moderate CVE-2014-6051 SUSE bug 897031 SUSE bug 900896 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibVNCServer 0.9.9 and earlier does not check certain malloc return values, which allows remote VNC servers to cause a denial of service (application crash) or possibly execute arbitrary code by specifying a large screen size in a (1) FramebufferUpdate, (2) ResizeFrameBuffer, or (3) PalmVNCReSizeFrameBuffer message. Moderate CVE-2014-6052 SUSE bug 897031 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier does not properly handle attempts to send a large amount of ClientCutText data, which allows remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that is processed by using a single unchecked malloc. Moderate CVE-2014-6053 SUSE bug 897031 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier allows remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2) SetScale message. Moderate CVE-2014-6054 SUSE bug 897031 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message. Moderate CVE-2014-6055 SUSE bug 897031 SUSE OpenStack Cloud 5 Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 allow remote attackers to cause a denial of service (crash) via a large stream of data, which triggers a buffer overflow and an out-of-bounds read. Moderate CVE-2014-6269 SUSE bug 895849 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted UDP SNMP request, which triggers a heap-based buffer overflow. Moderate CVE-2014-6270 SUSE bug 895773 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. Critical CVE-2014-6271 SUSE bug 1024628 SUSE bug 1130324 SUSE bug 870618 SUSE bug 896776 SUSE bug 898346 SUSE bug 898604 SUSE bug 898664 SUSE bug 898762 SUSE bug 898812 SUSE bug 898884 SUSE bug 900057 SUSE bug 900127 SUSE bug 900454 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the evbuffer API in Libevent 1.4.x before 1.4.15, 2.0.x before 2.0.22, and 2.1.x before 2.1.5-beta allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function, which triggers a heap-based buffer overflow or an infinite loop. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2015-6525 for the functions that are only affected in 2.0 and later. Moderate CVE-2014-6272 SUSE bug 1041410 SUSE bug 897243 SUSE bug 943011 SUSE bug 947373 SUSE Linux Enterprise Server 11 SP3-TERADATA GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. Important CVE-2014-6277 SUSE bug 898664 SUSE bug 898762 SUSE bug 898812 SUSE bug 898884 SUSE bug 900057 SUSE bug 900127 SUSE bug 900454 SUSE Linux Enterprise Server 11 SP3-TERADATA GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. Important CVE-2014-6278 SUSE bug 898604 SUSE bug 898664 SUSE bug 898762 SUSE bug 898812 SUSE bug 898884 SUSE bug 900057 SUSE bug 900127 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The __udf_read_inode function in fs/udf/inode.c in the Linux kernel through 3.16.3 does not restrict the amount of ICB indirection, which allows physically proximate attackers to cause a denial of service (infinite loop or stack consumption) via a UDF filesystem with a crafted inode. Moderate CVE-2014-6410 SUSE bug 896689 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the SDP dissector in Wireshark 1.10.x before 1.10.10 allows remote attackers to cause a denial of service (application crash) via a crafted packet that leverages split memory ownership between the SDP and RTP dissectors. Moderate CVE-2014-6421 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SDP dissector in Wireshark 1.10.x before 1.10.10 creates duplicate hashtables for a media channel, which allows remote attackers to cause a denial of service (application crash) via a crafted packet to the RTP dissector. Moderate CVE-2014-6422 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The tvb_raw_text_add function in epan/dissectors/packet-megaco.c in the MEGACO dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (infinite loop) via an empty line. Moderate CVE-2014-6423 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_v9_v10_pdu_data function in epan/dissectors/packet-netflow.c in the Netflow dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 refers to incorrect offset and start variables, which allows remote attackers to cause a denial of service (uninitialized memory read and application crash) via a crafted packet. Moderate CVE-2014-6424 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the is_rtsp_request_or_reply function in epan/dissectors/packet-rtsp.c in the RTSP dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers parsing of a token located one position beyond the current position. Moderate CVE-2014-6427 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_spdu function in epan/dissectors/packet-ses.c in the SES dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not initialize a certain ID value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2014-6428 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not properly handle empty input data, which allows remote attackers to cause a denial of service (application crash) via a crafted file. Moderate CVE-2014-6429 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not validate bitmask data, which allows remote attackers to cause a denial of service (application crash) via a crafted file. Moderate CVE-2014-6430 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers writes of uncompressed bytes beyond the end of the output buffer. Moderate CVE-2014-6431 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not prevent data overwrites during copy operations, which allows remote attackers to cause a denial of service (application crash) via a crafted file. Moderate CVE-2014-6432 SUSE bug 897055 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Moderate CVE-2014-6456 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. Moderate CVE-2014-6457 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2014-6458 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML. Moderate CVE-2014-6463 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS. Moderate CVE-2014-6464 SUSE bug 901237 SUSE bug 915912 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2014-6466 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:OPTIMIZER. Moderate CVE-2014-6469 SUSE bug 901237 SUSE bug 915912 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:MEMCACHED. Moderate CVE-2014-6474 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6527. Moderate CVE-2014-6476 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote attackers to affect integrity via vectors related to SERVER:SSL:yaSSL. Moderate CVE-2014-6478 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to SERVER:DML. Moderate CVE-2014-6484 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect integrity and availability via vectors related to SERVER:SP. Moderate CVE-2014-6489 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500. Moderate CVE-2014-6491 SUSE bug 901237 SUSE bug 915912 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2014-6492 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532. Moderate CVE-2014-6493 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6496. Moderate CVE-2014-6494 SUSE bug 901237 SUSE bug 915912 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote attackers to affect availability via vectors related to SERVER:SSL:yaSSL. Moderate CVE-2014-6495 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6494. Moderate CVE-2014-6496 SUSE bug 901237 SUSE bug 915912 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491. Moderate CVE-2014-6500 SUSE bug 901237 SUSE bug 915912 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries. Moderate CVE-2014-6502 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532. Moderate CVE-2014-6503 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to SERVER:MEMORY STORAGE ENGINE. Moderate CVE-2014-6505 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Moderate CVE-2014-6506 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML. Moderate CVE-2014-6507 SUSE bug 901237 SUSE bug 915912 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D. Moderate CVE-2014-6511 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries. Moderate CVE-2014-6512 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. Moderate CVE-2014-6513 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment. Moderate CVE-2014-6515 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:DDL. Moderate CVE-2014-6520 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6476. Moderate CVE-2014-6527 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to CLIENT:MYSQLDUMP. Moderate CVE-2014-6530 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries. Moderate CVE-2014-6531 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503. Moderate CVE-2014-6532 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier and 5.6.19 and earlier allows local users to affect confidentiality via vectors related to CLIENT:MYSQLADMIN. Moderate CVE-2014-6551 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML. Moderate CVE-2014-6555 SUSE bug 901237 SUSE bug 915912 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security. Moderate CVE-2014-6558 SUSE bug 901239 SUSE bug 901242 SUSE bug 901246 SUSE bug 904889 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING. Moderate CVE-2014-6559 SUSE bug 901237 SUSE bug 915912 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB FULLTEXT SEARCH DML. Moderate CVE-2014-6564 SUSE bug 901237 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML. Moderate CVE-2014-6568 SUSE bug 914058 SUSE bug 915911 SUSE Linux Enterprise Server 11 SP3-TERADATA The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet. Low CVE-2014-7141 SUSE bug 1040640 SUSE bug 891268 SUSE bug 895773 SUSE Linux Enterprise Server 11 SP3-TERADATA The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size. Low CVE-2014-7142 SUSE bug 895773 SUSE bug 973782 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors. Moderate CVE-2014-7154 SUSE bug 880751 SUSE bug 895798 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction. Moderate CVE-2014-7155 SUSE bug 880751 SUSE bug 895799 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 3.3.x through 4.4.x does not check the supervisor mode permissions for instructions that generate software interrupts, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors. Moderate CVE-2014-7156 SUSE bug 880751 SUSE bug 895802 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. Important CVE-2014-7169 SUSE bug 1024628 SUSE bug 1130324 SUSE bug 870618 SUSE bug 896776 SUSE bug 898346 SUSE bug 898664 SUSE bug 898762 SUSE bug 898812 SUSE bug 898884 SUSE bug 899266 SUSE bug 900057 SUSE bug 900127 SUSE bug 900454 SUSE bug 902237 SUSE bug 926146 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. Moderate CVE-2014-7185 SUSE bug 898572 SUSE bug 913479 SUSE bug 955182 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue. Moderate CVE-2014-7186 SUSE bug 1024628 SUSE bug 898603 SUSE bug 898664 SUSE bug 898762 SUSE bug 898812 SUSE bug 898884 SUSE bug 900057 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue. Important CVE-2014-7187 SUSE bug 1024628 SUSE bug 898603 SUSE bug 898664 SUSE bug 898762 SUSE bug 898812 SUSE bug 898884 SUSE bug 900057 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 through 4.4.x uses an improper MSR range for x2APIC emulation, which allows local HVM guests to cause a denial of service (host crash) or read data from the hypervisor or other guests via unspecified vectors. Important CVE-2014-7188 SUSE bug 880751 SUSE bug 897657 SUSE bug 903970 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. Moderate CVE-2014-7810 SUSE bug 931442 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. Moderate CVE-2014-7815 SUSE bug 902737 SUSE bug 962627 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))". Moderate CVE-2014-7817 SUSE bug 906371 SUSE OpenStack Cloud 5 Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding. Low CVE-2014-7819 SUSE bug 903658 SUSE Linux Enterprise Server 11 SP3 The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem. Moderate CVE-2014-7822 SUSE bug 915322 SUSE bug 915517 SUSE bug 939240 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag. Low CVE-2014-7823 SUSE bug 904176 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application. Low CVE-2014-7826 SUSE bug 904012 SUSE bug 904013 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data. Moderate CVE-2014-7840 SUSE bug 905097 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk. Important CVE-2014-7841 SUSE bug 904899 SUSE bug 905100 SUSE Linux Enterprise Server 11 SP3 Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313. Moderate CVE-2014-7842 SUSE bug 905312 SUSE bug 907822 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-7844 SUSE bug 909208 SUSE OpenStack Cloud 5 OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined. Moderate CVE-2014-7960 SUSE bug 900253 SUSE bug 927793 SUSE Linux Enterprise Server 11 SP3 The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call. Moderate CVE-2014-7970 SUSE bug 900644 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. Moderate CVE-2014-8080 SUSE bug 902851 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allows local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag. Moderate CVE-2014-8086 SUSE bug 900881 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080. Moderate CVE-2014-8090 SUSE bug 905326 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA X.Org X Window System (aka X11 and X) X11R5 and X.Org Server (aka xserver and xorg-server) before 1.16.3, when using SUN-DES-1 (Secure RPC) authentication credentials, does not check the return value of a malloc call, which allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a crafted connection request. Moderate CVE-2014-8091 SUSE bug 882226 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.Org X Window System (aka X11 or X) X11R1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) ProcPutImage, (2) GetHosts, (3) RegionSizeof, or (4) REQUEST_FIXED_SIZE function, which triggers an out-of-bounds read or write. Moderate CVE-2014-8092 SUSE bug 1146596 SUSE bug 907268 SUSE bug 928520 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to the (1) __glXDisp_ReadPixels, (2) __glXDispSwap_ReadPixels, (3) __glXDisp_GetTexImage, (4) __glXDispSwap_GetTexImage, (5) GetSeparableFilter, (6) GetConvolutionFilter, (7) GetHistogram, (8) GetMinmax, (9) GetColorTable, (10) __glXGetAnswerBuffer, (11) __GLX_GET_ANSWER_BUFFER, (12) __glXMap1dReqSize, (13) __glXMap1fReqSize, (14) Map2Size, (15) __glXMap2dReqSize, (16) __glXMap2fReqSize, (17) __glXImageSize, or (18) __glXSeparableFilter2DReqSize function, which triggers an out-of-bounds read or write. Important CVE-2014-8093 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the ProcDRI2GetBuffers function in the DRI2 extension in X.Org Server (aka xserver and xorg-server) 1.7.0 through 1.16.x before 1.16.3 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, which triggers an out-of-bounds read or write. Moderate CVE-2014-8094 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The XInput extension in X.Org X Window System (aka X11 or X) X11R4 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXChangeDeviceControl, (2) ProcXChangeDeviceControl, (3) ProcXChangeFeedbackControl, (4) ProcXSendExtensionEvent, (5) SProcXIAllowEvents, (6) SProcXIChangeCursor, (7) ProcXIChangeHierarchy, (8) SProcXIGetClientPointer, (9) SProcXIGrabDevice, (10) SProcXIUngrabDevice, (11) ProcXIUngrabDevice, (12) SProcXIPassiveGrabDevice, (13) ProcXIPassiveGrabDevice, (14) SProcXIPassiveUngrabDevice, (15) ProcXIPassiveUngrabDevice, (16) SProcXListDeviceProperties, (17) SProcXDeleteDeviceProperty, (18) SProcXIListProperties, (19) SProcXIDeleteProperty, (20) SProcXIGetProperty, (21) SProcXIQueryDevice, (22) SProcXIQueryPointer, (23) SProcXISelectEvents, (24) SProcXISetClientPointer, (25) SProcXISetFocus, (26) SProcXIGetFocus, or (27) SProcXIWarpPointer function. Moderate CVE-2014-8095 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SProcXCMiscGetXIDList function in the XC-MISC extension in X.Org X Window System (aka X11 or X) X11R6.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value. Moderate CVE-2014-8096 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The DBE extension in X.Org X Window System (aka X11 or X) X11R6.1 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcDbeSwapBuffers or (2) SProcDbeSwapBuffers function. Moderate CVE-2014-8097 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) __glXDisp_Render, (2) __glXDisp_RenderLarge, (3) __glXDispSwap_VendorPrivate, (4) __glXDispSwap_VendorPrivateWithReply, (5) set_client_info, (6) __glXDispSwap_SetClientInfoARB, (7) DoSwapInterval, (8) DoGetProgramString, (9) DoGetString, (10) __glXDispSwap_RenderMode, (11) __glXDisp_GetCompressedTexImage, (12) __glXDispSwap_GetCompressedTexImage, (13) __glXDisp_FeedbackBuffer, (14) __glXDispSwap_FeedbackBuffer, (15) __glXDisp_SelectBuffer, (16) __glXDispSwap_SelectBuffer, (17) __glXDisp_Flush, (18) __glXDispSwap_Flush, (19) __glXDisp_Finish, (20) __glXDispSwap_Finish, (21) __glXDisp_ReadPixels, (22) __glXDispSwap_ReadPixels, (23) __glXDisp_GetTexImage, (24) __glXDispSwap_GetTexImage, (25) __glXDisp_GetPolygonStipple, (26) __glXDispSwap_GetPolygonStipple, (27) __glXDisp_GetSeparableFilter, (28) __glXDisp_GetSeparableFilterEXT, (29) __glXDisp_GetConvolutionFilter, (30) __glXDisp_GetConvolutionFilterEXT, (31) __glXDisp_GetHistogram, (32) __glXDisp_GetHistogramEXT, (33) __glXDisp_GetMinmax, (34) __glXDisp_GetMinmaxEXT, (35) __glXDisp_GetColorTable, (36) __glXDisp_GetColorTableSGI, (37) GetSeparableFilter, (38) GetConvolutionFilter, (39) GetHistogram, (40) GetMinmax, or (41) GetColorTable function. Important CVE-2014-8098 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The XVideo extension in XFree86 4.0.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXvQueryExtension, (2) SProcXvQueryAdaptors, (3) SProcXvQueryEncodings, (4) SProcXvGrabPort, (5) SProcXvUngrabPort, (6) SProcXvPutVideo, (7) SProcXvPutStill, (8) SProcXvGetVideo, (9) SProcXvGetStill, (10) SProcXvPutImage, (11) SProcXvShmPutImage, (12) SProcXvSelectVideoNotify, (13) SProcXvSelectPortNotify, (14) SProcXvStopVideo, (15) SProcXvSetPortAttribute, (16) SProcXvGetPortAttribute, (17) SProcXvQueryBestSize, (18) SProcXvQueryPortAttributes, (19) SProcXvQueryImageAttributes, or (20) SProcXvListImageFormats function. Moderate CVE-2014-8099 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Render extension in XFree86 4.0.1, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) ProcRenderQueryVersion, (2) SProcRenderQueryVersion, (3) SProcRenderQueryPictFormats, (4) SProcRenderQueryPictIndexValues, (5) SProcRenderCreatePicture, (6) SProcRenderChangePicture, (7) SProcRenderSetPictureClipRectangles, (8) SProcRenderFreePicture, (9) SProcRenderComposite, (10) SProcRenderScale, (11) SProcRenderCreateGlyphSet, (12) SProcRenderReferenceGlyphSet, (13) SProcRenderFreeGlyphSet, (14) SProcRenderFreeGlyphs, or (15) SProcRenderCompositeGlyphs function. Moderate CVE-2014-8100 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The RandR extension in XFree86 4.2.0, X.Org X Window System (aka X11 or X) X11R6.7, and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcRRQueryVersion, (2) SProcRRGetScreenInfo, (3) SProcRRSelectInput, or (4) SProcRRConfigureOutputProperty function. Moderate CVE-2014-8101 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SProcXFixesSelectSelectionInput function in the XFixes extension in X.Org X Window System (aka X11 or X) X11R6.8.0 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length value. Moderate CVE-2014-8102 SUSE bug 907268 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet. Moderate CVE-2014-8104 SUSE bug 907764 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320. Moderate CVE-2014-8106 SUSE bug 1023004 SUSE bug 907805 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. Moderate CVE-2014-8111 SUSE bug 927845 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow. Important CVE-2014-8118 SUSE bug 1101137 SUSE bug 906803 SUSE bug 908128 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The find_ifcfg_path function in netcf before 0.2.7 might allow attackers to cause a denial of service (application crash) via vectors involving augeas path expressions. Important CVE-2014-8119 SUSE bug 925225 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset. Moderate CVE-2014-8121 SUSE bug 918187 SUSE bug 939211 SUSE bug 945779 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool. Low CVE-2014-8127 SUSE bug 914890 SUSE bug 916925 SUSE bug 942690 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-8128 SUSE bug 1007276 SUSE bug 1017690 SUSE bug 1040322 SUSE bug 914890 SUSE bug 916925 SUSE bug 942690 SUSE bug 960341 SUSE bug 974621 SUSE bug 983436 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c. Moderate CVE-2014-8129 SUSE bug 914890 SUSE bug 916925 SUSE bug 942690 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither. Low CVE-2014-8130 SUSE bug 914890 SUSE bug 916925 SUSE bug 942690 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value. Moderate CVE-2014-8133 SUSE bug 817142 SUSE bug 906545 SUSE bug 907818 SUSE bug 909077 SUSE bug 923485 SUSE Linux Enterprise Server 11 SP3 The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value. Moderate CVE-2014-8134 SUSE bug 907818 SUSE bug 909077 SUSE bug 909078 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file. Moderate CVE-2014-8137 SUSE bug 909474 SUSE bug 909475 SUSE bug 911837 SUSE bug 968373 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the jp2_decode function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 file. Moderate CVE-2014-8138 SUSE bug 909474 SUSE bug 909475 SUSE bug 911837 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-8139 SUSE bug 909214 SUSE bug 915880 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-8140 SUSE bug 909214 SUSE bug 914442 SUSE bug 915880 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-8141 SUSE bug 909214 SUSE bug 915880 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019. Low CVE-2014-8142 SUSE bug 910659 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. Moderate CVE-2014-8150 SUSE bug 911363 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid. Moderate CVE-2014-8155 SUSE bug 920366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The InfiniBand (IB) implementation in the Linux kernel package before 2.6.32-504.12.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly restrict use of User Verbs for registration of memory regions, which allows local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/. Moderate CVE-2014-8159 SUSE bug 903967 SUSE bug 914742 SUSE bug 939241 SUSE Linux Enterprise Server 11 SP3 net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers. Moderate CVE-2014-8160 SUSE bug 857643 SUSE bug 913059 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2014-8161 SUSE bug 916953 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability was found in liblouis, versions 2.5.x before 2.5.4. A stack-based buffer overflow was found in findTable() in liblouis. An attacker could create a malicious file that would cause applications that use liblouis (such as Orca) to crash, or potentially execute arbitrary code when opened. Moderate CVE-2014-8184 SUSE bug 1056088 SUSE bug 1056090 SUSE bug 1056093 SUSE bug 1056095 SUSE bug 1056105 SUSE bug 1062458 SUSE bug 1067336 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA librsync before 1.0.0 uses a truncated MD4 checksum to match blocks, which makes it easier for remote attackers to modify transmitted data via a birthday attack. Low CVE-2014-8242 SUSE bug 900914 SUSE bug 922710 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c. Moderate CVE-2014-8275 SUSE bug 911906 SUSE bug 912018 SUSE bug 920339 SUSE bug 927623 SUSE bug 937891 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The HorizontalFilter function in resize.c in ImageMagick before 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image file. Low CVE-2014-8354 SUSE bug 903204 SUSE bug 903638 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA PCX parser code in ImageMagick before 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds read). Low CVE-2014-8355 SUSE bug 903216 SUSE bug 903638 SUSE Linux Enterprise Server 11 SP3 The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601. Moderate CVE-2014-8369 SUSE bug 892782 SUSE bug 902675 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record. Moderate CVE-2014-8484 SUSE bug 902676 SUSE bug 902677 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file. Moderate CVE-2014-8485 SUSE bug 902676 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory consumption and named crash) via a large or infinite number of referrals. Moderate CVE-2014-8500 SUSE bug 908994 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable. Moderate CVE-2014-8501 SUSE bug 903655 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file. Moderate CVE-2014-8502 SUSE bug 903655 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file. Moderate CVE-2014-8503 SUSE bug 903655 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file. Moderate CVE-2014-8504 SUSE bug 903655 SUSE Linux Enterprise Server 11 SP3 The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang) via a crafted application. Moderate CVE-2014-8559 SUSE bug 903640 SUSE bug 915517 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA DCM decode in ImageMagick before 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds read). Moderate CVE-2014-8562 SUSE bug 903638 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP). Moderate CVE-2014-8594 SUSE bug 903967 SUSE bug 903970 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction. Moderate CVE-2014-8595 SUSE bug 903970 SUSE bug 907649 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2014-8634 SUSE bug 913064 SUSE bug 913096 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors. Moderate CVE-2014-8636 SUSE bug 913096 SUSE bug 913102 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not properly initialize memory for BMP images, which allows remote attackers to obtain sensitive information from process memory via a crafted web page that triggers the rendering of malformed BMP data within a CANVAS element. Moderate CVE-2014-8637 SUSE bug 913096 SUSE bug 913103 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site. Moderate CVE-2014-8638 SUSE bug 913068 SUSE bug 913096 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server. Moderate CVE-2014-8639 SUSE bug 913066 SUSE bug 913096 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly restrict timeline operations, which allows remote attackers to cause a denial of service (uninitialized-memory read and application crash) via crafted API calls. Moderate CVE-2014-8640 SUSE bug 913096 SUSE bug 913104 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the WebRTC implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, and SeaMonkey before 2.32 allows remote attackers to execute arbitrary code via crafted track data. Moderate CVE-2014-8641 SUSE bug 913067 SUSE bug 913096 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The KDE Clock KCM policykit helper in kde-workspace before 4.11.14 and plasma-desktop before 5.1.1 allows local users to gain privileges via a crafted ntpUtility (ntp utility name) argument. Low CVE-2014-8651 SUSE bug 904625 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets. Important CVE-2014-8709 SUSE bug 904700 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet. Moderate CVE-2014-8710 SUSE bug 905246 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet. Moderate CVE-2014-8711 SUSE bug 905245 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2014-8712 SUSE bug 905248 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2014-8713 SUSE bug 905248 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_write_structured_field function in epan/dissectors/packet-tn5250.c in the TN5250 dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Moderate CVE-2014-8714 SUSE bug 905247 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The JPEG decoder in ImageMagick before 6.8.9-9 allows local users to cause a denial of service (out-of-bounds memory access and crash). Moderate CVE-2014-8716 SUSE bug 905260 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar. Moderate CVE-2014-8737 SUSE bug 905736 SUSE bug 912408 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive. Moderate CVE-2014-8738 SUSE bug 905735 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame. Low CVE-2014-8767 SUSE bug 905870 SUSE bug 905871 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access. Low CVE-2014-8769 SUSE bug 905871 SUSE bug 905872 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode. Moderate CVE-2014-8866 SUSE bug 903970 SUSE bug 905465 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors. Moderate CVE-2014-8867 SUSE bug 903970 SUSE bug 905467 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call. Moderate CVE-2014-8884 SUSE bug 904876 SUSE bug 905522 SUSE bug 905739 SUSE bug 905744 SUSE bug 905748 SUSE bug 905764 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors related to the security manager. Moderate CVE-2014-8891 SUSE bug 916266 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via unspecified vectors related to the security manager. Moderate CVE-2014-8892 SUSE bug 916265 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file. Moderate CVE-2014-8962 SUSE bug 906831 SUSE bug 907764 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file. Moderate CVE-2014-9028 SUSE bug 907016 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple off-by-one errors in the (1) jpc_dec_cp_setfromcox and (2) jpc_dec_cp_setfromrgn functions in jpc/jpc_dec.c in JasPer 1.900.1 and earlier allow remote attackers to execute arbitrary code via a crafted jp2 file, which triggers a heap-based buffer overflow. Moderate CVE-2014-9029 SUSE bug 906364 SUSE bug 909474 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE. Moderate CVE-2014-9030 SUSE bug 903970 SUSE bug 906439 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the cli_scanpe function in libclamav/pe.c in ClamAV before 0.98.5 allows remote attackers to cause a denial of service (crash) via a crafted y0da Crypter PE file. Moderate CVE-2014-9050 SUSE bug 1040662 SUSE bug 906770 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow. Moderate CVE-2014-9087 SUSE bug 907074 SUSE bug 926826 SUSE bug 996084 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite. Moderate CVE-2014-9090 SUSE bug 817142 SUSE bug 907818 SUSE bug 909077 SUSE bug 910251 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive. Moderate CVE-2014-9112 SUSE bug 907456 SUSE bug 913479 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code. Moderate CVE-2014-9114 SUSE bug 888678 SUSE bug 906725 SUSE bug 907434 SUSE bug 908742 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, which allows remote attackers to cause a denial of service (crash) via a header with an empty body, which triggers a heap-based buffer overflow in the mutt_substrdup function. Moderate CVE-2014-9116 SUSE bug 907453 SUSE OpenStack Cloud 5 scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping. Moderate CVE-2014-9130 SUSE bug 907809 SUSE bug 911782 SUSE bug 921588 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a crafted PPP packet. Moderate CVE-2014-9140 SUSE bug 923142 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. Important CVE-2014-9293 SUSE bug 910764 SUSE bug 911792 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. Important CVE-2014-9294 SUSE bug 910764 SUSE bug 911792 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. Important CVE-2014-9295 SUSE bug 883859 SUSE bug 910764 SUSE bug 911792 SUSE bug 912826 SUSE bug 916239 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2014-9297 SUSE bug 911792 SUSE bug 948963 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2014-9298 SUSE bug 911792 SUSE bug 948963 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. Important CVE-2014-9322 SUSE bug 817142 SUSE bug 910251 SUSE bug 923485 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upack packer file, related to a "heap out of bounds condition." Moderate CVE-2014-9328 SUSE bug 1040662 SUSE bug 915512 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process. Low CVE-2014-9402 SUSE bug 910599 SUSE Linux Enterprise Server 11 SP3 The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. Low CVE-2014-9419 SUSE bug 911326 SUSE Linux Enterprise Server 11 SP3 The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image. Moderate CVE-2014-9420 SUSE bug 906545 SUSE bug 911325 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind. Moderate CVE-2014-9421 SUSE bug 1005509 SUSE bug 770172 SUSE bug 912002 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal. Moderate CVE-2014-9422 SUSE bug 1005509 SUSE bug 770172 SUSE bug 912002 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field. Moderate CVE-2014-9423 SUSE bug 1005509 SUSE bug 912002 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program. Moderate CVE-2014-9447 SUSE bug 911662 SUSE bug 912408 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command. Moderate CVE-2014-9471 SUSE bug 911832 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the mpfr_strtofr function in GNU MPFR before 3.1.2-p11 allows context-dependent attackers to have unspecified impact via vectors related to incorrect documentation for mpn_set_str. Low CVE-2014-9474 SUSE bug 911812 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read. Moderate CVE-2014-9496 SUSE bug 911796 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path. Moderate CVE-2014-9512 SUSE bug 915410 SUSE bug 960191 SUSE Linux Enterprise Server 11 SP3 Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key. Moderate CVE-2014-9529 SUSE bug 912202 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the qtmd_decompress function in libmspack 0.4 allows remote attackers to cause a denial of service (hang) via a crafted CAB file, which triggers an infinite loop. Moderate CVE-2014-9556 SUSE bug 912214 SUSE bug 919283 SUSE bug 934533 SUSE Linux Enterprise Server 11 SP3 The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image. Moderate CVE-2014-9584 SUSE bug 912654 SUSE Linux Enterprise Server 11 SP3 The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD. Important CVE-2014-9585 SUSE bug 912705 SUSE OpenStack Cloud 5 Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed. Low CVE-2014-9601 SUSE bug 921566 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression. Moderate CVE-2014-9636 SUSE bug 914442 SUSE bug 915880 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file. Low CVE-2014-9637 SUSE bug 1059698 SUSE bug 1101128 SUSE bug 914891 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file. Moderate CVE-2014-9652 SUSE bug 917150 SUSE bug 917302 SUSE bug 918768 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923. Critical CVE-2014-9654 SUSE bug 917129 SUSE bug 929629 SUSE bug 952260 SUSE bug 969781 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif. Moderate CVE-2014-9655 SUSE bug 914890 SUSE bug 916925 SUSE bug 916927 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font. Moderate CVE-2014-9656 SUSE bug 916847 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. Moderate CVE-2014-9657 SUSE bug 916856 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. Moderate CVE-2014-9658 SUSE bug 916857 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240. Moderate CVE-2014-9659 SUSE bug 916867 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font. Moderate CVE-2014-9660 SUSE bug 916858 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font. Moderate CVE-2014-9661 SUSE bug 916859 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font. Moderate CVE-2014-9662 SUSE bug 916860 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table. Moderate CVE-2014-9663 SUSE bug 916865 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c. Moderate CVE-2014-9664 SUSE bug 916864 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file. Moderate CVE-2014-9665 SUSE bug 916863 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap. Moderate CVE-2014-9666 SUSE bug 916862 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table. Moderate CVE-2014-9667 SUSE bug 916861 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file. Moderate CVE-2014-9668 SUSE bug 916868 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table. Moderate CVE-2014-9669 SUSE bug 916870 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row. Moderate CVE-2014-9670 SUSE bug 916871 SUSE bug 933247 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented. Moderate CVE-2014-9671 SUSE bug 916872 SUSE bug 933247 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file. Moderate CVE-2014-9672 SUSE bug 916873 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font. Moderate CVE-2014-9673 SUSE bug 916874 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font. Moderate CVE-2014-9674 SUSE bug 916879 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font. Moderate CVE-2014-9675 SUSE bug 916881 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow. Moderate CVE-2014-9679 SUSE bug 917799 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives. Low CVE-2014-9680 SUSE bug 917806 SUSE bug 919737 SUSE bug 921999 SUSE bug 953359 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename. Moderate CVE-2014-9683 SUSE bug 918333 SUSE OpenStack Cloud 5 OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881. Moderate CVE-2014-9684 SUSE bug 918784 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA eCryptfs 104 and earlier uses a default salt to encrypt the mount passphrase, which makes it easier for attackers to obtain user passwords via a brute force attack. Moderate CVE-2014-9687 SUSE bug 920160 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries. Moderate CVE-2014-9705 SUSE bug 922451 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function. Moderate CVE-2014-9709 SUSE bug 923945 SUSE bug 923946 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-TERADATA The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit. Moderate CVE-2014-9710 SUSE bug 923908 SUSE bug 939260 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions. Moderate CVE-2014-9718 SUSE bug 928393 SUSE bug 964431 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths, which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c. Moderate CVE-2014-9728 SUSE bug 911325 SUSE bug 933904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.18.2 does not ensure a certain data-structure size consistency, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image. Moderate CVE-2014-9729 SUSE bug 911325 SUSE bug 933904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel before 3.18.2 relies on component lengths that are unused, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image. Moderate CVE-2014-9730 SUSE bug 911325 SUSE bug 933904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target's name along with a trailing \0 character, which allows local users to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and fs/udf/unicode.c. Moderate CVE-2014-9731 SUSE bug 911325 SUSE bug 933896 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The cabd_extract function in cabd.c in libmspack before 0.5 does not properly maintain decompression callbacks in certain cases where an invalid file follows a valid file, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted CAB archive. Moderate CVE-2014-9732 SUSE bug 934524 SUSE bug 934533 SUSE Linux Enterprise Server 11 SP3-TERADATA The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a "broken number-with-base" in a Postscript stream, as demonstrated by 8#garbage. Low CVE-2014-9745 SUSE bug 945849 SUSE bug 947966 SUSE Linux Enterprise Server 11 SP3-TERADATA The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font. Low CVE-2014-9747 SUSE bug 947966 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerability." Moderate CVE-2014-9749 SUSE bug 949942 SUSE bug 993299 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The psf_fwrite function in file_io.c in libsndfile allows attackers to cause a denial of service (divide-by-zero error and application crash) via unspecified vectors related to the headindex variable. Moderate CVE-2014-9756 SUSE bug 953516 SUSE bug 953519 SUSE bug 953521 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function. Critical CVE-2014-9761 SUSE bug 962738 SUSE bug 986086 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive. Moderate CVE-2014-9767 SUSE bug 971612 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted pnm file. Moderate CVE-2014-9805 SUSE bug 982969 SUSE bug 983752 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (file descriptor consumption) via a crafted file. Moderate CVE-2014-9806 SUSE bug 982969 SUSE bug 983774 SUSE Linux Enterprise Server 11 SP3-TERADATA The pdb coder in ImageMagick allows remote attackers to cause a denial of service (double free) via unspecified vectors. Moderate CVE-2014-9807 SUSE bug 982969 SUSE bug 983794 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted dpc image. Moderate CVE-2014-9808 SUSE bug 982969 SUSE bug 983796 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted xwd image. Moderate CVE-2014-9809 SUSE bug 982969 SUSE bug 983799 SUSE Linux Enterprise Server 11 SP3-TERADATA The dpx file handler in ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a malformed dpx file. Moderate CVE-2014-9810 SUSE bug 982969 SUSE bug 983803 SUSE Linux Enterprise Server 11 SP3-TERADATA The xwd file handler in ImageMagick allows remote attackers to cause a denial of service (segmentation fault and application crash) via a malformed xwd file. Moderate CVE-2014-9811 SUSE bug 982969 SUSE bug 984032 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted ps file. Moderate CVE-2014-9812 SUSE bug 982969 SUSE bug 984137 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (application crash) via a crafted viff file. Moderate CVE-2014-9813 SUSE bug 982969 SUSE bug 984035 SUSE bug 984398 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted wpg file. Moderate CVE-2014-9814 SUSE bug 982969 SUSE bug 984193 SUSE bug 984372 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (application crash) via a crafted wpg file. Moderate CVE-2014-9815 SUSE bug 982969 SUSE bug 984372 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted viff file. Moderate CVE-2014-9816 SUSE bug 982969 SUSE bug 984035 SUSE bug 984398 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in ImageMagick allows remote attackers to have unspecified impact via a crafted pdb file. Moderate CVE-2014-9817 SUSE bug 982969 SUSE bug 984400 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to cause a denial of service (out-of-bounds access) via a malformed sun file. Moderate CVE-2014-9818 SUSE bug 1000690 SUSE bug 982969 SUSE bug 984181 SUSE bug 984186 SUSE bug 984409 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in ImageMagick allows remote attackers to have unspecified impact via a crafted palm file, a different vulnerability than CVE-2014-9823. Moderate CVE-2014-9819 SUSE bug 982969 SUSE bug 984142 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in ImageMagick allows remote attackers to have unspecified impact via a crafted pnm file. Moderate CVE-2014-9820 SUSE bug 982969 SUSE bug 984150 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in ImageMagick allows remote attackers to have unspecified impact via a crafted quantum file. Moderate CVE-2014-9822 SUSE bug 982969 SUSE bug 984187 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in ImageMagick allows remote attackers to have unspecified impact via a crafted palm file, a different vulnerability than CVE-2014-9819. Moderate CVE-2014-9823 SUSE bug 982969 SUSE bug 984401 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in ImageMagick allows remote attackers to have unspecified impact via a crafted psd file, a different vulnerability than CVE-2014-9825. Moderate CVE-2014-9824 SUSE bug 982969 SUSE bug 984185 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick allows remote attackers to have unspecified impact via vectors related to error handling in sun files. Moderate CVE-2014-9826 SUSE bug 982969 SUSE bug 984186 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/psd.c in ImageMagick allows remote attackers to have unspecified impact via a crafted psd file. Moderate CVE-2014-9828 SUSE bug 982969 SUSE bug 984028 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/sun.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted sun file. Moderate CVE-2014-9829 SUSE bug 982969 SUSE bug 984409 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/sun.c in ImageMagick allows remote attackers to have unspecified impact via a corrupted sun file. Moderate CVE-2014-9830 SUSE bug 1000690 SUSE bug 982969 SUSE bug 984135 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/wpg.c in ImageMagick allows remote attackers to have unspecified impact via a corrupted wpg file. Moderate CVE-2014-9831 SUSE bug 982969 SUSE bug 984375 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap overflow in ImageMagick 6.8.9-9 via a crafted pict file. Moderate CVE-2014-9834 SUSE bug 982969 SUSE bug 984436 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap overflow in ImageMagick 6.8.9-9 via a crafted wpf file. Moderate CVE-2014-9835 SUSE bug 982969 SUSE bug 984145 SUSE bug 984375 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service via a crafted xpm file. Moderate CVE-2014-9836 SUSE bug 982969 SUSE bug 984023 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/pnm.c in ImageMagick 6.9.0-1 Beta and earlier allows remote attackers to cause a denial of service (crash) via a crafted png file. Moderate CVE-2014-9837 SUSE bug 982969 SUSE bug 984166 SUSE Linux Enterprise Server 11 SP3-TERADATA magick/cache.c in ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (crash). Moderate CVE-2014-9838 SUSE bug 982969 SUSE bug 984370 SUSE Linux Enterprise Server 11 SP3-TERADATA magick/colormap-private.h in ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds access). Moderate CVE-2014-9839 SUSE bug 982969 SUSE bug 984379 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted palm file. Moderate CVE-2014-9840 SUSE bug 982969 SUSE bug 984433 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the ReadPSDLayers function in coders/psd.c in ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors. Moderate CVE-2014-9842 SUSE bug 982969 SUSE bug 984172 SUSE bug 984374 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadRLEImage function in coders/rle.c in ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image file. Moderate CVE-2014-9844 SUSE bug 982969 SUSE bug 984373 SUSE bug 984408 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadDIBImage function in coders/dib.c in ImageMagick allows remote attackers to cause a denial of service (crash) via a corrupted dib file. Moderate CVE-2014-9845 SUSE bug 982969 SUSE bug 984394 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the ReadRLEImage function in coders/rle.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact. Moderate CVE-2014-9846 SUSE bug 982969 SUSE bug 983521 SUSE bug 984408 SUSE Linux Enterprise Server 11 SP3-TERADATA The jng decoder in ImageMagick 6.8.9.9 allows remote attackers to have an unspecified impact. Moderate CVE-2014-9847 SUSE bug 1040304 SUSE bug 982969 SUSE bug 984144 SUSE Linux Enterprise Server 11 SP3-TERADATA The png coder in ImageMagick allows remote attackers to cause a denial of service (crash). Moderate CVE-2014-9849 SUSE bug 982969 SUSE bug 984018 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (application crash). Moderate CVE-2014-9851 SUSE bug 1106989 SUSE bug 1106996 SUSE bug 982969 SUSE bug 984160 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in coders/rle.c in ImageMagick allows remote attackers to cause a denial of service (memory consumption) via a crafted rle file. Moderate CVE-2014-9853 SUSE bug 982969 SUSE bug 984408 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/tiff.c in ImageMagick allows remote attackers to cause a denial of service (application crash) via vectors related to the "identification of image." Moderate CVE-2014-9854 SUSE bug 982969 SUSE bug 984184 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/dds.c in ImageMagick allows remote attackers to cause a denial of service via a crafted DDS file. Moderate CVE-2014-9907 SUSE bug 1000714 SUSE bug 1074610 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call. Important CVE-2014-9911 SUSE bug 1012224 SUSE bug 1012232 SUSE Linux Enterprise Server 11 SP3-TERADATA The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument. Moderate CVE-2014-9912 SUSE bug 1012224 SUSE bug 1012232 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method. Moderate CVE-2014-9913 SUSE bug 1013993 SUSE Linux Enterprise Server 11 SP3-TERADATA The eCryptfs subsystem in the Linux kernel before 3.18 allows local users to gain privileges via a large filesystem stack that includes an overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c. Important CVE-2014-9922 SUSE bug 1032340 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GSKit in IBM Tivoli Directory Server (ITDS) 6.0 before 6.0.0.73-ISS-ITDS-IF0073, 6.1 before 6.1.0.66-ISS-ITDS-IF0066, 6.2 before 6.2.0.42-ISS-ITDS-IF0042, and 6.3 before 6.3.0.35-ISS-ITDS-IF0035 and IBM Security Directory Server (ISDS) 6.3.1 before 6.3.1.9-ISS-ISDS-IF0009 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204. Moderate CVE-2015-0138 SUSE bug 952088 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in IBM Java 8 before SR1, 7 R1 before SR2 FP11, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 before SR16 FP10 allows remote attackers to gain privileges via unknown vectors related to the Java Virtual Machine. Moderate CVE-2015-0192 SUSE bug 952088 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations. Moderate CVE-2015-0204 SUSE bug 912014 SUSE bug 920339 SUSE bug 920482 SUSE bug 920484 SUSE bug 927591 SUSE bug 927623 SUSE bug 936787 SUSE bug 952088 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support. Moderate CVE-2015-0205 SUSE bug 912293 SUSE bug 920339 SUSE bug 927623 SUSE bug 937891 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection. Moderate CVE-2015-0206 SUSE bug 912292 SUSE bug 920339 SUSE bug 927623 SUSE bug 937891 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import. Moderate CVE-2015-0209 SUSE bug 919648 SUSE bug 936586 SUSE bug 937891 SUSE Linux Enterprise Server 11 SP3-TERADATA wpa_supplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack. Moderate CVE-2015-0210 SUSE bug 915323 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. Low CVE-2015-0231 SUSE bug 910659 SUSE bug 924972 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image. Moderate CVE-2015-0232 SUSE bug 914690 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST." Critical CVE-2015-0235 SUSE bug 844309 SUSE bug 913646 SUSE bug 915263 SUSE bug 917876 SUSE bug 920055 SUSE bug 949238 SUSE bug 954983 SUSE Linux Enterprise Server 11 SP3-TERADATA The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction. Moderate CVE-2015-0239 SUSE bug 994618 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc5 performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API, as demonstrated by packets reaching the _netr_ServerPasswordSet function in rpc_server/netlogon/srv_netlog_nt.c. Important CVE-2015-0240 SUSE bug 917376 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-0241 SUSE bug 916953 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-0243 SUSE bug 916953 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-0244 SUSE bug 916953 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image. Moderate CVE-2015-0247 SUSE bug 1123790 SUSE bug 915402 SUSE bug 918346 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. Important CVE-2015-0254 SUSE bug 920813 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request. Moderate CVE-2015-0255 SUSE bug 915810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer signedness error in the mobility_opt_print function in the IPv6 mobility printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) or possibly execute arbitrary code via a negative length value. Moderate CVE-2015-0261 SUSE bug 922220 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GNOME NetworkManager allows remote attackers to cause a denial of service (IPv6 traffic disruption) via a crafted MTU value in an IPv6 Router Advertisement (RA) message, a different vulnerability than CVE-2015-8215. Moderate CVE-2015-0272 SUSE bug 944296 SUSE bug 951638 SUSE bug 955354 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors. Moderate CVE-2015-0282 SUSE bug 919938 SUSE bug 921684 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature. Moderate CVE-2015-0286 SUSE bug 919648 SUSE bug 922496 SUSE bug 936586 SUSE bug 937891 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse. Moderate CVE-2015-0287 SUSE bug 919648 SUSE bug 922499 SUSE bug 936586 SUSE bug 937492 SUSE bug 937891 SUSE bug 940369 SUSE bug 968888 SUSE bug 991722 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key. Moderate CVE-2015-0288 SUSE bug 919648 SUSE bug 920236 SUSE bug 936586 SUSE bug 937891 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c. Moderate CVE-2015-0289 SUSE bug 919648 SUSE bug 922500 SUSE bug 936586 SUSE bug 937891 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow. Moderate CVE-2015-0292 SUSE bug 919648 SUSE bug 922501 SUSE bug 936586 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message. Moderate CVE-2015-0293 SUSE bug 919648 SUSE bug 922488 SUSE bug 936586 SUSE bug 968044 SUSE bug 968051 SUSE bug 968053 SUSE bug 986238 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-0294 SUSE bug 919938 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file. Low CVE-2015-0295 SUSE bug 921999 SUSE bug 927806 SUSE bug 927807 SUSE bug 927808 SUSE bug 936523 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key. Moderate CVE-2015-0374 SUSE bug 914058 SUSE bug 915911 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382. Moderate CVE-2015-0381 SUSE bug 914058 SUSE bug 915911 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381. Moderate CVE-2015-0382 SUSE bug 914058 SUSE bug 915911 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth. Moderate CVE-2015-0385 SUSE bug 914058 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. Moderate CVE-2015-0391 SUSE bug 914058 SUSE bug 915913 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to XA. Important CVE-2015-0405 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. Moderate CVE-2015-0409 SUSE bug 914058 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption. Moderate CVE-2015-0411 SUSE bug 914058 SUSE bug 915911 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. Important CVE-2015-0423 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key. Moderate CVE-2015-0432 SUSE bug 914058 SUSE bug 915911 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote authenticated users to affect availability via vectors related to InnoDB : DML. Moderate CVE-2015-0433 SUSE bug 927623 SUSE bug 936409 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition. Important CVE-2015-0438 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB, a different vulnerability than CVE-2015-4756. Important CVE-2015-0439 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Encryption. Moderate CVE-2015-0441 SUSE bug 927623 SUSE bug 936409 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in in Oracle Java SE 6u91, 7u76, and 8u40 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2015-0458 SUSE bug 927591 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JavaFX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2015-0491. Important CVE-2015-0459 SUSE bug 927591 SUSE bug 932310 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2015-0469 SUSE bug 927591 SUSE bug 932310 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity via unknown vectors related to Beans. Moderate CVE-2015-0477 SUSE bug 927591 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows remote attackers to affect confidentiality via vectors related to JCE. Low CVE-2015-0478 SUSE bug 927591 SUSE bug 944456 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools. Moderate CVE-2015-0480 SUSE bug 927591 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows remote attackers to affect availability via vectors related to JSSE. Moderate CVE-2015-0488 SUSE bug 927591 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and Java FX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2015-0459. Important CVE-2015-0491 SUSE bug 927591 SUSE bug 932310 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication. Important CVE-2015-0498 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Federated. Moderate CVE-2015-0499 SUSE bug 927623 SUSE bug 936408 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors. Important CVE-2015-0500 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling. Moderate CVE-2015-0501 SUSE bug 927623 SUSE bug 936408 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition. Important CVE-2015-0503 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. Moderate CVE-2015-0505 SUSE bug 927623 SUSE bug 936408 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2015-0508. Important CVE-2015-0506 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached. Important CVE-2015-0507 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB, a different vulnerability than CVE-2015-0506. Important CVE-2015-0508 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : SP. Important CVE-2015-0511 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple use-after-free vulnerabilities in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory. Moderate CVE-2015-0559 SUSE bug 912365 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not initialize certain data structures, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-0560 SUSE bug 912365 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA asn1/lpp/lpp.cnf in the LPP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not validate a certain index value, which allows remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted packet. Moderate CVE-2015-0561 SUSE bug 912368 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple use-after-free vulnerabilities in epan/dissectors/packet-dec-dnart.c in the DEC DNA Routing Protocol dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory. Moderate CVE-2015-0562 SUSE bug 912369 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-smtp.c in the SMTP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 uses an incorrect length value for certain string-append operations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-0563 SUSE bug 912370 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer underflow in the ssl_decrypt_record function in epan/dissectors/packet-ssl-utils.c in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allows remote attackers to cause a denial of service (application crash) via a crafted packet that is improperly handled during decryption of an SSL session. Moderate CVE-2015-0564 SUSE bug 912372 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used in the Linux kernel 2.6.x and 3.x in SUSE Linux distributions, allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors. Low CVE-2015-0777 SUSE bug 917830 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file. Important CVE-2015-0797 SUSE bug 927559 SUSE bug 930622 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818. Moderate CVE-2015-0801 SUSE bug 925368 SUSE bug 925401 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The navigator.sendBeacon implementation in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 processes HTTP 30x status codes for redirects after a preflight request has occurred, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site, a similar issue to CVE-2014-8638. Moderate CVE-2015-0807 SUSE bug 913068 SUSE bug 925368 SUSE bug 925398 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the AppendElements function in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 on Linux, when the Fluendo MP3 plugin for GStreamer is used, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted MP3 file. Moderate CVE-2015-0813 SUSE bug 925368 SUSE bug 925393 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2015-0814 SUSE bug 925368 SUSE bug 925392 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js. Moderate CVE-2015-0816 SUSE bug 925368 SUSE bug 925395 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The asm.js implementation in Mozilla Firefox before 36.0.3, Firefox ESR 31.x before 31.5.2, and SeaMonkey before 2.33.1 does not properly determine the cases in which bounds checking may be safely skipped during JIT compilation and heap access, which allows remote attackers to read or write to unintended memory locations, and consequently execute arbitrary code, via crafted JavaScript. Moderate CVE-2015-0817 SUSE bug 923495 SUSE bug 923534 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation. Moderate CVE-2015-0818 SUSE bug 923495 SUSE bug 923534 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Form Autocompletion feature in Mozilla Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird before 31.5 allows remote attackers to read arbitrary files via crafted JavaScript code. Moderate CVE-2015-0822 SUSE bug 910669 SUSE bug 917597 SUSE bug 923534 SUSE bug 924515 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the mozilla::gfx::CopyRect function in Mozilla Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird before 31.5 allows remote attackers to obtain sensitive information from uninitialized process memory via a malformed SVG graphic. Moderate CVE-2015-0827 SUSE bug 910669 SUSE bug 917597 SUSE bug 923534 SUSE bug 924515 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the mozilla::dom::IndexedDB::IDBObjectStore::CreateIndex function in Mozilla Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird before 31.5 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via crafted content that is improperly handled during IndexedDB index creation. Important CVE-2015-0831 SUSE bug 910669 SUSE bug 917597 SUSE bug 923534 SUSE bug 924515 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird before 31.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-0836 SUSE bug 910669 SUSE bug 917597 SUSE bug 923534 SUSE bug 924515 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-0837 SUSE bug 920057 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716. Moderate CVE-2015-1283 SUSE bug 1034050 SUSE bug 939077 SUSE bug 979441 SUSE bug 980391 SUSE bug 983985 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source. Moderate CVE-2015-1335 SUSE bug 946744 SUSE Linux Enterprise Server 11 SP3-TERADATA kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log. Important CVE-2015-1338 SUSE bug 1049352 SUSE bug 947731 SUSE bug 952246 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before 9.10.1-P2, when DNSSEC validation and the managed-keys feature are enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit, or daemon crash) by triggering an incorrect trust-anchor management scenario in which no key is ready for use. Low CVE-2015-1349 SUSE bug 918330 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program. Low CVE-2015-1350 SUSE bug 1025354 SUSE bug 1052256 SUSE bug 914939 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing. Moderate CVE-2015-1419 SUSE bug 900326 SUSE bug 915522 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function. Moderate CVE-2015-1420 SUSE bug 915517 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel before 3.18.8 allows remote attackers to cause a denial of service (slab corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data. Moderate CVE-2015-1421 SUSE bug 915577 SUSE bug 922004 SUSE bug 939261 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted (1) Yoda's crypter or (2) mew packer file, related to a "heap out of bounds condition." Important CVE-2015-1461 SUSE bug 1040662 SUSE bug 916217 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upx packer file, related to a "heap out of bounds condition." Important CVE-2015-1462 SUSE bug 1040662 SUSE bug 916214 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV before 0.98.6 allows remote attackers to cause a denial of service (crash) via a crafted petite packer file, related to an "incorrect compiler optimization." Moderate CVE-2015-1463 SUSE bug 1040662 SUSE bug 916215 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during memory allocation, which allows context-dependent attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long line containing wide characters that are improperly handled in a wscanf call. Moderate CVE-2015-1472 SUSE bug 916222 SUSE bug 920341 SUSE bug 922243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The deref_parseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an empty attribute list in a deref control in a search request. Moderate CVE-2015-1545 SUSE bug 846389 SUSE bug 905959 SUSE bug 916897 SUSE bug 916914 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in the get_vrFilter function in servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to cause a denial of service (crash) via a crafted search query with a matched values control. Moderate CVE-2015-1546 SUSE bug 916914 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247. Low CVE-2015-1572 SUSE bug 1123790 SUSE bug 915402 SUSE bug 918346 SUSE Linux Enterprise Server 11 SP3 The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c. Moderate CVE-2015-1593 SUSE bug 1044934 SUSE bug 917839 SUSE bug 942663 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Low CVE-2015-1606 SUSE bug 918089 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Low CVE-2015-1607 SUSE bug 918090 SUSE OpenStack Cloud 5 MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers to cause a denial of service via a crafted UTF-8 string in a BSON request. Moderate CVE-2015-1609 SUSE bug 921759 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. Moderate CVE-2015-1779 SUSE bug 924018 SUSE bug 962632 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer. Moderate CVE-2015-1781 SUSE bug 927080 SUSE bug 939211 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet. Important CVE-2015-1782 SUSE bug 921070 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication. Moderate CVE-2015-1788 SUSE bug 934487 SUSE bug 936586 SUSE bug 937891 SUSE bug 938432 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback. Important CVE-2015-1789 SUSE bug 934489 SUSE bug 936586 SUSE bug 937891 SUSE bug 938432 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data. Moderate CVE-2015-1790 SUSE bug 934491 SUSE bug 936586 SUSE bug 938432 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier. Moderate CVE-2015-1791 SUSE bug 933911 SUSE bug 986238 SUSE bug 989464 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function. Moderate CVE-2015-1792 SUSE bug 934493 SUSE bug 937891 SUSE bug 986238 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate. Moderate CVE-2015-1793 SUSE bug 936746 SUSE bug 937637 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. Important CVE-2015-1799 SUSE bug 924202 SUSE bug 927497 SUSE bug 928321 SUSE bug 943565 SUSE bug 957163 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 allows remote authenticated users to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a (1) negative or (2) large property count in a BDF font file. Moderate CVE-2015-1802 SUSE bug 921978 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly handle character bitmaps it cannot read, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) and possibly execute arbitrary code via a crafted BDF font file. Moderate CVE-2015-1803 SUSE bug 921978 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly perform type conversion for metrics values, which allows remote authenticated users to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via a crafted BDF font file. Moderate CVE-2015-1804 SUSE bug 921978 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun." Moderate CVE-2015-1805 SUSE bug 917839 SUSE bug 933429 SUSE bug 939270 SUSE bug 964730 SUSE bug 964732 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML Entity Expansion (XEE) attack. Moderate CVE-2015-1819 SUSE bug 1123919 SUSE bug 928193 SUSE OpenStack Cloud 5 The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144. Moderate CVE-2015-1852 SUSE bug 928205 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-1855 SUSE bug 926974 SUSE OpenStack Cloud 5 OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container. Moderate CVE-2015-1856 SUSE bug 927793 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image. Moderate CVE-2015-1858 SUSE bug 921999 SUSE bug 927806 SUSE bug 927807 SUSE bug 927808 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image. Moderate CVE-2015-1859 SUSE bug 921999 SUSE bug 927806 SUSE bug 927807 SUSE bug 927808 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image. Moderate CVE-2015-1860 SUSE bug 921999 SUSE bug 927806 SUSE bug 927807 SUSE bug 927808 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA IBM Java 7 R1 before SR3, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 before SR16 FP10 allows remote attackers to bypass "permission checks" and obtain sensitive information via vectors related to the Java Virtual Machine. Moderate CVE-2015-1914 SUSE bug 952088 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-1931 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE bug 939382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry. Moderate CVE-2015-2041 SUSE bug 903967 SUSE bug 919007 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry. Moderate CVE-2015-2042 SUSE bug 903967 SUSE bug 919018 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size. Low CVE-2015-2044 SUSE bug 918995 SUSE bug 918998 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors. Low CVE-2015-2045 SUSE bug 918998 SUSE Linux Enterprise Server 11 SP3-TERADATA The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read. Low CVE-2015-2059 SUSE bug 919214 SUSE bug 923241 SUSE bug 937096 SUSE bug 937097 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest OS users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. Moderate CVE-2015-2150 SUSE bug 800280 SUSE bug 903967 SUSE bug 919463 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors. Moderate CVE-2015-2151 SUSE bug 918998 SUSE bug 919464 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The osi_print_cksum function in print-isoclns.c in the ethernet printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) length, (2) offset, or (3) base pointer checksum value. Moderate CVE-2015-2154 SUSE bug 922222 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The upx decoder in ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted file. Moderate CVE-2015-2170 SUSE bug 1040662 SUSE bug 921950 SUSE bug 922560 SUSE bug 929192 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet that is improperly handled during decompression. Moderate CVE-2015-2188 SUSE bug 920696 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the pcapng_read function in wiretap/pcapng.c in the pcapng file parser in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via an invalid Interface Statistics Block (ISB) interface ID in a crafted packet. Moderate CVE-2015-2189 SUSE bug 920697 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the dissect_tnef function in epan/dissectors/packet-tnef.c in the TNEF dissector in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted length field in a packet. Moderate CVE-2015-2191 SUSE bug 920699 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted y0da cryptor file. Moderate CVE-2015-2221 SUSE bug 1040662 SUSE bug 921950 SUSE bug 922560 SUSE bug 929192 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted petite packed file. Moderate CVE-2015-2222 SUSE bug 1040662 SUSE bug 921950 SUSE bug 922560 SUSE bug 929192 SUSE OpenStack Cloud 5 The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. Moderate CVE-2015-2296 SUSE bug 922448 SUSE bug 926396 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file. Moderate CVE-2015-2301 SUSE bug 922452 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive. Moderate CVE-2015-2304 SUSE bug 920870 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. Moderate CVE-2015-2305 SUSE bug 1040662 SUSE bug 921950 SUSE bug 922022 SUSE bug 922028 SUSE bug 922030 SUSE bug 922043 SUSE bug 922560 SUSE bug 922567 SUSE bug 929192 SUSE bug 980366 SUSE OpenStack Cloud 5 The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. Moderate CVE-2015-2316 SUSE bug 923172 SUSE OpenStack Cloud 5 The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. Low CVE-2015-2317 SUSE bug 923176 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers to conduct message skipping attacks and consequently impersonate clients by leveraging missing handshake state validation, aka a "SMACK SKIP-TLS" issue. Moderate CVE-2015-2318 SUSE bug 921312 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The TLS stack in Mono before 3.12.1 makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204. Moderate CVE-2015-2319 SUSE bug 921312 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The TLS stack in Mono before 3.12.1 allows remote attackers to have unspecified impact via vectors related to client-side SSLv2 fallback. Moderate CVE-2015-2320 SUSE bug 921312 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via vectors related to DML. Important CVE-2015-2566 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Privileges. Important CVE-2015-2567 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote attackers to affect availability via unknown vectors related to Server : Security : Privileges. Moderate CVE-2015-2568 SUSE bug 927623 SUSE bug 936409 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. Moderate CVE-2015-2571 SUSE bug 927623 SUSE bug 936408 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. Moderate CVE-2015-2573 SUSE bug 927623 SUSE bug 936409 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the MySQL Utilities component in Oracle MySQL 1.5.1 and earlier, when running on Windows, allows local users to affect integrity via unknown vectors related to Installation. Important CVE-2015-2576 SUSE bug 927623 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS. Moderate CVE-2015-2582 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732. Important CVE-2015-2590 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, JRockit R28.3.6, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE. Important CVE-2015-2601 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to DML. Moderate CVE-2015-2611 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE. Important CVE-2015-2613 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE bug 951727 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Partition. Moderate CVE-2015-2617 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, JavaFX 2.2.80, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via unknown vectors related to 2D. Important CVE-2015-2619 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.23 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges. Low CVE-2015-2620 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33, allows remote attackers to affect confidentiality via vectors related to JMX. Important CVE-2015-2621 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRockit R28.3.6; and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JSSE. Important CVE-2015-2625 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to 2D. Important CVE-2015-2632 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JavaFX 2.2.80; and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via unknown vectors related to 2D. Important CVE-2015-2637 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JavaFX 2.2.80; and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2015-2638 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Firewall. Moderate CVE-2015-2639 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Privileges. Moderate CVE-2015-2641 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. Moderate CVE-2015-2643 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to DML. Moderate CVE-2015-2648 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows local users to affect availability via unknown vectors related to Client. Moderate CVE-2015-2661 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Important CVE-2015-2664 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted xz archive file. Moderate CVE-2015-2668 SUSE bug 1040662 SUSE bug 921950 SUSE bug 922560 SUSE bug 929192 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call. Important CVE-2015-2695 SUSE bug 770172 SUSE bug 952188 SUSE bug 969771 SUSE Linux Enterprise Server 11 SP3-TERADATA The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\0' character in a long realm field within a TGS request. Moderate CVE-2015-2697 SUSE bug 770172 SUSE bug 952190 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-2708 SUSE bug 930622 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 38.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-2709 SUSE bug 930622 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the SVGTextFrame class in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code via crafted SVG graphics data in conjunction with a crafted Cascading Style Sheets (CSS) token sequence. Important CVE-2015-2710 SUSE bug 930622 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the SetBreaks function in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a document containing crafted text in conjunction with a Cascading Style Sheets (CSS) token sequence containing properties related to vertical text. Important CVE-2015-2713 SUSE bug 930622 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283. Moderate CVE-2015-2716 SUSE bug 930622 SUSE bug 939077 SUSE bug 980391 SUSE bug 983985 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue. Important CVE-2015-2721 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the CanonicalizeXPCOMParticipant function in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 and 38.x before 38.1 allows remote attackers to execute arbitrary code via vectors involving attachment of an XMLHttpRequest object to a shared worker. Important CVE-2015-2722 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-2724 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-2725 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 39.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-2726 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The IndexedDatabaseManager class in the IndexedDB implementation in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 and 38.x before 38.1 misinterprets an unspecified IDBDatabase field as a pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors, related to a "type confusion" issue. Important CVE-2015-2728 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Network Security Services (NSS) before 3.19.1, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and other products, does not properly perform Elliptical Curve Cryptography (ECC) multiplications, which makes it easier for remote attackers to spoof ECDSA signatures via unspecified vectors. Important CVE-2015-2730 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the CanonicalizeXPCOMParticipant function in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 and 38.x before 38.1 allows remote attackers to execute arbitrary code via vectors involving attachment of an XMLHttpRequest object to a dedicated worker. Important CVE-2015-2733 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The CairoTextureClientD3D9::BorrowDrawTarget function in the Direct3D 9 implementation in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 reads data from uninitialized memory locations, which has unspecified impact and attack vectors. Important CVE-2015-2734 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA nsZipArchive.cpp in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 accesses unintended memory locations, which allows remote attackers to have an unspecified impact via a crafted ZIP archive. Important CVE-2015-2735 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nsZipArchive::BuildFileList function in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 accesses unintended memory locations, which allows remote attackers to have an unspecified impact via a crafted ZIP archive. Important CVE-2015-2736 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The rx::d3d11::SetBufferData function in the Direct3D 11 implementation in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 reads data from uninitialized memory locations, which has unspecified impact and attack vectors. Important CVE-2015-2737 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The YCbCrImageDataDeserializer::ToDataSourceSurface function in the YCbCr implementation in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 reads data from uninitialized memory locations, which has unspecified impact and attack vectors. Important CVE-2015-2738 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ArrayBufferBuilder::append function in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 accesses unintended memory locations, which has unspecified impact and attack vectors. Important CVE-2015-2739 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the nsXMLHttpRequest::AppendToResponseText function in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 might allow remote attackers to cause a denial of service or have unspecified other impact via unknown vectors. Important CVE-2015-2740 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA PDF.js in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 and 38.x before 38.1 enables excessive privileges for internal Workers, which might allow remote attackers to execute arbitrary code by leveraging a Same Origin Policy bypass. Important CVE-2015-2743 SUSE bug 935979 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. Low CVE-2015-2751 SUSE bug 922709 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. CVE-2015-2756 SUSE bug 922706 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Directory traversal vulnerability in GNU Mailman before 2.1.20, when not using a static alias, allows remote attackers to execute arbitrary files via a .. (dot dot) in a list name. Moderate CVE-2015-2775 SUSE bug 925502 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read and application crash) via a crafted length value in conjunction with crafted serialized data in a phar archive, related to the phar_parse_metadata and phar_parse_pharfile functions. Moderate CVE-2015-2783 SUSE bug 928408 SUSE bug 928506 SUSE bug 928511 SUSE bug 931418 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231. Important CVE-2015-2787 SUSE bug 924972 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors. Moderate CVE-2015-2806 SUSE bug 924828 SUSE bug 929414 SUSE bug 961491 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue. Important CVE-2015-2808 SUSE bug 925378 SUSE bug 938248 SUSE bug 938895 SUSE bug 952088 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16. Moderate CVE-2015-2830 SUSE bug 903967 SUSE bug 926240 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. Moderate CVE-2015-2922 SUSE bug 903967 SUSE bug 922583 SUSE bug 926223 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. Moderate CVE-2015-3143 SUSE bug 927556 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. Moderate CVE-2015-3148 SUSE bug 1092962 SUSE bug 927746 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack. Moderate CVE-2015-3152 SUSE bug 1037590 SUSE bug 1047059 SUSE bug 1088681 SUSE bug 924663 SUSE bug 928962 SUSE bug 936407 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. Moderate CVE-2015-3153 SUSE bug 928533 SUSE bug 951391 SUSE OpenStack Cloud 5 The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, write_config function in trove/guestagent/datastore/experimental/redis/service.py, _write_mycnf function in trove/guestagent/datastore/mysql/service.py, InnoBackupEx::_run_prepare function in trove/guestagent/strategies/restore/mysql_impl.py, InnoBackupEx::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, MySQLDump::cmd in trove/guestagent/strategies/backup/mysql_impl.py, InnoBackupExIncremental::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, _get_actual_db_status function in trove/guestagent/datastore/experimental/cassandra/system.py and trove/guestagent/datastore/experimental/cassandra/service.py, and multiple class CbBackup methods in trove/guestagent/strategies/backup/experimental/couchbase_impl.py in Openstack DBaaS (aka Trove) as packaged in Openstack before 2015.1.0 (aka Kilo) allows local users to write to configuration files via a symlink attack on a temporary file. Low CVE-2015-3156 SUSE bug 929535 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. Moderate CVE-2015-3165 SUSE bug 931972 SUSE bug 931973 SUSE bug 931974 SUSE bug 932040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-3166 SUSE bug 931972 SUSE bug 931973 SUSE bug 931974 SUSE bug 932040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-3167 SUSE bug 931972 SUSE bug 931973 SUSE bug 931974 SUSE bug 932040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c. Moderate CVE-2015-3183 SUSE bug 938728 SUSE bug 948325 SUSE bug 949218 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application. Moderate CVE-2015-3195 SUSE bug 923755 SUSE bug 957812 SUSE bug 957815 SUSE bug 958768 SUSE bug 963977 SUSE bug 986238 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions. Low CVE-2015-3197 SUSE bug 963410 SUSE bug 963415 SUSE bug 968044 SUSE bug 968046 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature. Moderate CVE-2015-3202 SUSE bug 931452 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. Important CVE-2015-3209 SUSE bug 932267 SUSE bug 932770 SUSE bug 932823 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index. Moderate CVE-2015-3214 SUSE bug 934069 SUSE bug 936025 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field. Moderate CVE-2015-3216 SUSE bug 933898 SUSE OpenStack Cloud 5 Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class. Moderate CVE-2015-3219 SUSE bug 933722 SUSE OpenStack Cloud 5 OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address pair that is rejected by the ipset tool. Moderate CVE-2015-3221 SUSE bug 935263 SUSE OpenStack Cloud 5 lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. Moderate CVE-2015-3225 SUSE bug 934797 SUSE OpenStack Cloud 5 Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. Moderate CVE-2015-3226 SUSE bug 934799 SUSE OpenStack Cloud 5 The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. Moderate CVE-2015-3227 SUSE bug 934800 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the gs_heap_alloc_bytes function in base/gsmalloc.c in Ghostscript 9.15 and earlier allows remote attackers to cause a denial of service (crash) via a crafted Postscript (ps) file, as demonstrated by using the ps2pdf command, which triggers an out-of-bounds read or write. Moderate CVE-2015-3228 SUSE bug 939342 SUSE Linux Enterprise Server 11 SP3-TERADATA The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password. Moderate CVE-2015-3238 SUSE bug 1123794 SUSE bug 934920 SUSE OpenStack Cloud 5 OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then deleting an instance. Moderate CVE-2015-3241 SUSE bug 935017 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through 4.5.x allows local guest administrators to gain privileges via a long configuration argument. Moderate CVE-2015-3259 SUSE bug 935634 SUSE bug 936281 SUSE bug 937018 SUSE bug 950367 SUSE OpenStack Cloud 5 OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state. Moderate CVE-2015-3280 SUSE bug 1000443 SUSE bug 944178 SUSE OpenStack Cloud 5 The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1.6-dev does not properly realign a buffer that is used for pending outgoing data, which allows remote attackers to obtain sensitive information (uninitialized memory contents of previous requests) via a crafted request. Moderate CVE-2015-3281 SUSE bug 937042 SUSE bug 937202 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous pages, which allows local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero. Moderate CVE-2015-3288 SUSE bug 979021 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function, which allows remote attackers to read process memory and cause a denial of service (out-of-bounds read and crash) via a malformed DNS request. Moderate CVE-2015-3294 SUSE bug 923144 SUSE bug 928867 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the rc_mksid function in plugins/radius/util.c in Paul's PPP Package (ppp) 2.4.6 and earlier, when the PID for pppd is greater than 65535, allows remote attackers to cause a denial of service (crash) via a start accounting message to the RADIUS server. Moderate CVE-2015-3310 SUSE bug 1149972 SUSE bug 927841 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to execute arbitrary code via a crafted length value in a (1) tar, (2) phar, or (3) ZIP archive. Moderate CVE-2015-3329 SUSE bug 928408 SUSE bug 928506 SUSE bug 928511 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket. CVE-2015-3331 SUSE bug 927257 SUSE bug 931231 SUSE bug 939262 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped. Moderate CVE-2015-3339 SUSE bug 903967 SUSE bug 928130 SUSE bug 939263 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys. Moderate CVE-2015-3405 SUSE bug 924202 SUSE bug 928321 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files. Moderate CVE-2015-3411 SUSE bug 935074 SUSE bug 935227 SUSE bug 935229 SUSE bug 935232 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension. Moderate CVE-2015-3412 SUSE bug 935227 SUSE bug 935229 SUSE bug 935232 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ProcPutImage function in dix/dispatch.c in X.Org Server (aka xserver and xorg-server) before 1.16.4 allows attackers to cause a denial of service (divide-by-zero and crash) via a zero-height PutImage request. Moderate CVE-2015-3418 SUSE bug 928520 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. Moderate CVE-2015-3456 SUSE bug 929339 SUSE bug 932770 SUSE bug 935900 SUSE Linux Enterprise Server 11 SP3-TERADATA The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.5 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted certificate. Low CVE-2015-3622 SUSE bug 929414 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect. Moderate CVE-2015-3636 SUSE bug 929525 SUSE bug 939277 SUSE bug 994624 SUSE OpenStack Cloud 5 OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs. Moderate CVE-2015-3646 SUSE bug 929628 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 improperly refers to previously processed bytes, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, a different vulnerability than CVE-2015-2188. Moderate CVE-2015-3811 SUSE bug 930689 SUSE bug 930691 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple memory leaks in the x11_init_protocol function in epan/dissectors/packet-x11.c in the X11 dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 allow remote attackers to cause a denial of service (memory consumption) via a crafted packet. Moderate CVE-2015-3812 SUSE bug 930689 SUSE bug 930691 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The fragment_add_work function in epan/reassemble.c in the packet-reassembly feature in Wireshark 1.12.x before 1.12.5 does not properly determine the defragmentation state in a case of an insufficient snapshot length, which allows remote attackers to cause a denial of service (memory consumption) via a crafted packet. Moderate CVE-2015-3813 SUSE bug 930689 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) dissect_tfs_request and (2) dissect_tfs_response functions in epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 interpret a zero value as a length rather than an error condition, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Moderate CVE-2015-3814 SUSE bug 930689 SUSE bug 930691 SUSE OpenStack Cloud 5 Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate. Moderate CVE-2015-3988 SUSE bug 931437 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. Moderate CVE-2015-4000 SUSE bug 1074631 SUSE bug 931600 SUSE bug 931698 SUSE bug 931723 SUSE bug 931845 SUSE bug 932026 SUSE bug 932483 SUSE bug 934789 SUSE bug 935033 SUSE bug 935540 SUSE bug 935979 SUSE bug 936168 SUSE bug 937202 SUSE bug 937724 SUSE bug 937766 SUSE bug 938248 SUSE bug 938432 SUSE bug 938895 SUSE bug 938905 SUSE bug 938906 SUSE bug 938913 SUSE bug 938945 SUSE bug 941696 SUSE bug 943664 SUSE bug 944729 SUSE bug 945582 SUSE bug 955589 SUSE bug 980406 SUSE bug 990592 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive. Moderate CVE-2015-4021 SUSE bug 931769 SUSE bug 935074 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. Moderate CVE-2015-4022 SUSE bug 931769 SUSE bug 931772 SUSE bug 935275 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome. Moderate CVE-2015-4024 SUSE bug 931421 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. Moderate CVE-2015-4026 SUSE bug 931776 SUSE bug 935227 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program. Moderate CVE-2015-4037 SUSE bug 932267 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Low CVE-2015-4041 SUSE bug 928749 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Low CVE-2015-4042 SUSE bug 928749 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests. Moderate CVE-2015-4047 SUSE bug 931989 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI message data field, which allows local x86 HVM guest administrators to cause a denial of service (host interrupt handling confusion) via vectors related to qemu and accessing spanning multiple fields. Moderate CVE-2015-4103 SUSE bug 931625 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, which allows local x86 HVM guest users to cause a denial of service (unexpected interrupt and host crash) via unspecified vectors. Moderate CVE-2015-4104 SUSE bug 931626 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations. Moderate CVE-2015-4105 SUSE bug 931627 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors. Moderate CVE-2015-4106 SUSE bug 931628 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation. Moderate CVE-2015-4116 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a negative chunk length, which triggers an out-of-bounds read or heap-based buffer overflow. Low CVE-2015-4141 SUSE bug 915323 SUSE bug 930077 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a denial of service (crash) via a crafted frame, which triggers an out-of-bounds read. Low CVE-2015-4142 SUSE bug 915323 SUSE bug 930078 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue. Moderate CVE-2015-4148 SUSE bug 933227 SUSE bug 935074 SUSE bug 935226 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table operation version, which allows local guest domains to cause a denial of service (NULL pointer dereference) via a hypercall without a GNTTABOP_setup_table or GNTTABOP_set_version. Moderate CVE-2015-4163 SUSE bug 932790 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set. Moderate CVE-2015-4164 SUSE bug 932996 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3 The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.19.1 does not validate certain length values, which allows local users to cause a denial of service (incorrect data representation or integer overflow, and OOPS) via a crafted UDF filesystem. Moderate CVE-2015-4167 SUSE bug 917839 SUSE bug 933907 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client before 1.4.6, when using EAP or pre-shared keys for authenticating an IKEv2 connection, does not enforce server authentication restrictions until the entire authentication process is complete, which allows remote servers to obtain credentials by using a valid certificate and then reading the responses. Low CVE-2015-4171 SUSE bug 931845 SUSE bug 933591 SUSE OpenStack Cloud 5 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-4410 SUSE bug 933961 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The chmd_init_decomp function in chmd.c in libmspack before 0.5 does not properly validate the reset interval, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted CHM file. Moderate CVE-2015-4467 SUSE bug 934524 SUSE bug 934525 SUSE bug 934529 SUSE bug 934533 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The chmd_read_headers function in chmd.c in libmspack before 0.5 does not validate name lengths, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted CHM file. Moderate CVE-2015-4469 SUSE bug 934524 SUSE bug 934526 SUSE bug 934529 SUSE bug 934533 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the inflate function in mszipd.c in libmspack before 0.5 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted CAB archive. Moderate CVE-2015-4470 SUSE bug 934527 SUSE bug 934533 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the lzxd_decompress function in lzxd.c in libmspack before 0.5 allows remote attackers to cause a denial of service (buffer under-read and application crash) via a crafted CAB archive. Moderate CVE-2015-4471 SUSE bug 934528 SUSE bug 934533 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the READ_ENCINT macro in chmd.c in libmspack before 0.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CHM file. Moderate CVE-2015-4472 SUSE bug 934525 SUSE bug 934529 SUSE bug 934533 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-4473 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 40.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-4474 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The mozilla::AudioSink function in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 mishandles inconsistent sample formats within MP3 audio data, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a malformed file. Moderate CVE-2015-4475 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not impose certain ECMAScript 6 requirements on JavaScript object properties, which allows remote attackers to bypass the Same Origin Policy via the reviver parameter to the JSON.parse method. Moderate CVE-2015-4478 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in libstagefright in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allow remote attackers to execute arbitrary code via a crafted saio chunk in MPEG-4 video data. Important CVE-2015-4479 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The js::jit::AssemblerX86Shared::lock_addl function in the JavaScript implementation in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allows remote attackers to cause a denial of service (application crash) by leveraging the use of shared memory and accessing (1) an Atomics object or (2) a SharedArrayBuffer object. Moderate CVE-2015-4484 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the resize_context_buffers function in libvpx in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allows remote attackers to execute arbitrary code via malformed WebM video data. Important CVE-2015-4485 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The decrease_ref_count function in libvpx in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via malformed WebM video data. Important CVE-2015-4486 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nsTSubstring::ReplacePrep function in Mozilla Firefox before 40.0, Firefox ESR 38.x before 38.2, and Firefox OS before 2.2 might allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, related to an "overflow." Moderate CVE-2015-4487 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the StyleAnimationValue class in Mozilla Firefox before 40.0, Firefox ESR 38.x before 38.2, and Firefox OS before 2.2 allows remote attackers to have an unspecified impact by leveraging a StyleAnimationValue::operator self assignment. Moderate CVE-2015-4488 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nsTArray_Impl class in Mozilla Firefox before 40.0, Firefox ESR 38.x before 38.2, and Firefox OS before 2.2 might allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging a self assignment. Moderate CVE-2015-4489 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling. Moderate CVE-2015-4491 SUSE bug 940806 SUSE bug 942801 SUSE bug 948790 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the XMLHttpRequest::Open implementation in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 might allow remote attackers to execute arbitrary code via a SharedWorker object that makes recursive calls to the open method of an XMLHttpRequest object. Moderate CVE-2015-4492 SUSE bug 940806 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015. Important CVE-2015-4495 SUSE bug 940806 SUSE bug 940918 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-4500 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 41.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-4501 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the vp9_init_context_buffers function in libvpx, as used in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3, allows remote attackers to execute arbitrary code via a crafted VP9 file. Moderate CVE-2015-4506 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the HTMLVideoElement interface in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allows remote attackers to execute arbitrary code via crafted JavaScript code that modifies the URI table of a media element, aka ZDI-CAN-3176. Important CVE-2015-4509 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the nestegg_track_codec_data function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allows remote attackers to execute arbitrary code via a crafted header in a WebM video. Moderate CVE-2015-4511 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-4513 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA NetworkUtils.cpp in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. Moderate CVE-2015-4517 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow user-assisted remote attackers to bypass intended access restrictions and discover a redirect's target URL via crafted JavaScript code that executes after a drag-and-drop action of an image into a TEXTBOX element. Moderate CVE-2015-4519 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow remote attackers to bypass CORS preflight protection mechanisms by leveraging (1) duplicate cache-key generation or (2) retrieval of a value from an incorrect HTTP Access-Control-* response header. Moderate CVE-2015-4520 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ConvertDialogOptions function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. Important CVE-2015-4521 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nsUnicodeToUTF8::GetMaxLength function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." Important CVE-2015-4522 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files. Moderate CVE-2015-4598 SUSE bug 935227 SUSE bug 935232 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information, cause a denial of service (application crash), or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue. Moderate CVE-2015-4599 SUSE bug 935074 SUSE bug 935226 SUSE bug 935234 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in the (1) SoapClient::__getLastRequest, (2) SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie methods. Moderate CVE-2015-4600 SUSE bug 935226 SUSE bug 935234 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA PHP before 5.6.7 might allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a different issue than CVE-2015-4600. Moderate CVE-2015-4601 SUSE bug 935226 SUSE bug 935234 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue. Critical CVE-2015-4602 SUSE bug 935074 SUSE bug 935224 SUSE bug 935226 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary code via an unexpected data type, related to a "type confusion" issue. Critical CVE-2015-4603 SUSE bug 935074 SUSE bug 935226 SUSE bug 935234 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone. Moderate CVE-2015-4620 SUSE bug 936476 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4022. Critical CVE-2015-4643 SUSE bug 931769 SUSE bug 935074 SUSE bug 935275 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352. Important CVE-2015-4644 SUSE bug 935074 SUSE bug 935274 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-gsm_a_dtap.c in the GSM DTAP dissector in Wireshark 1.12.x before 1.12.6 does not properly validate digit characters, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to the de_emerg_num_list and de_bcd_num functions. Low CVE-2015-4652 SUSE bug 935158 SUSE Linux Enterprise Server 11 SP3-TERADATA FreeRADIUS 2.2.x before 2.2.8 and 3.0.x before 3.0.9 does not properly check revocation of intermediate CA certificates. Moderate CVE-2015-4680 SUSE bug 935573 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 4.0.6 allows local users to cause a denial of service (system crash) by creating a packet filter and then loading crafted BPF instructions that trigger late convergence by the JIT compiler. Moderate CVE-2015-4700 SUSE bug 935705 SUSE bug 939273 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment. Important CVE-2015-4729 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.6.20 and earlier allows remote authenticated users to affect availability via unknown vectors related to Types. Moderate CVE-2015-4730 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; Java SE Embedded 7u75; and Java SE Embedded 8u33 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. Important CVE-2015-4731 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-2590. Important CVE-2015-4732 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. Important CVE-2015-4733 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS. Moderate CVE-2015-4734 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Pluggable Auth. Low CVE-2015-4737 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRockit R28.3.6; and Java SE Embedded 7u75 and Embedded 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. Important CVE-2015-4748 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRockit R28.3.6; and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect availability via vectors related to JNDI. Important CVE-2015-4749 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to Server : I_S. Moderate CVE-2015-4752 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB, a different vulnerability than CVE-2015-0439. Moderate CVE-2015-4756 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier and 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. Moderate CVE-2015-4757 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2015-4760 SUSE bug 937828 SUSE bug 938248 SUSE bug 938895 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached. Moderate CVE-2015-4761 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows local users to affect availability via unknown vectors related to Server : Security : Firewall. Moderate CVE-2015-4766 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Firewall, a different vulnerability than CVE-2015-4769. Moderate CVE-2015-4767 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Firewall, a different vulnerability than CVE-2015-4767. Moderate CVE-2015-4769 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to RBR. Moderate CVE-2015-4771 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition. Moderate CVE-2015-4772 SUSE bug 938412 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4802. Moderate CVE-2015-4792 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. Moderate CVE-2015-4800 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4792. Moderate CVE-2015-4802 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911. Moderate CVE-2015-4803 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization. Moderate CVE-2015-4805 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. Moderate CVE-2015-4806 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u85 and 8u60 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. Moderate CVE-2015-4810 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DDL. Moderate CVE-2015-4815 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. Moderate CVE-2015-4816 SUSE bug 951391 SUSE bug 958790 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client programs. Moderate CVE-2015-4819 SUSE bug 951391 SUSE bug 958790 SUSE bug 969667 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Types. Moderate CVE-2015-4826 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges. Moderate CVE-2015-4830 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition. Moderate CVE-2015-4833 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881. Moderate CVE-2015-4835 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : SP. Moderate CVE-2015-4836 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via unknown vectors related to 2D. Moderate CVE-2015-4840 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JAXP. Moderate CVE-2015-4842 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. Moderate CVE-2015-4843 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Moderate CVE-2015-4844 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2015-4913. Moderate CVE-2015-4858 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883. Moderate CVE-2015-4860 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. Moderate CVE-2015-4861 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to DML. Moderate CVE-2015-4862 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges. Moderate CVE-2015-4864 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. Moderate CVE-2015-4866 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Parser. Moderate CVE-2015-4870 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 7u85 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. Moderate CVE-2015-4871 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect integrity via unknown vectors related to Security. Moderate CVE-2015-4872 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML. Moderate CVE-2015-4879 SUSE bug 951391 SUSE bug 958790 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect availability via vectors related to CORBA. Moderate CVE-2015-4882 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4860. Moderate CVE-2015-4883 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Replication. Moderate CVE-2015-4890 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4911. Moderate CVE-2015-4893 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. Moderate CVE-2015-4895 SUSE bug 951391 SUSE bug 958790 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deployment. Moderate CVE-2015-4902 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to RMI. Moderate CVE-2015-4903 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to libmysqld. Moderate CVE-2015-4904 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML. Moderate CVE-2015-4905 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached. Moderate CVE-2015-4910 SUSE bug 951391 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893. Moderate CVE-2015-4911 SUSE bug 951376 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML, a different vulnerability than CVE-2015-4858. Moderate CVE-2015-4913 SUSE bug 951391 SUSE bug 958789 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR2, 7 R1 before SR3 FP20, 7 before SR9 FP20, 6 R1 before SR8 FP15, and 6 before SR16 FP15 allow physically proximate attackers to obtain sensitive information by reading the Kerberos Credential Cache. Moderate CVE-2015-5006 SUSE bug 955131 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR9 FP30, and 7 R1 before SR3 FP30 allows remote attackers to obtain sensitive information or inject data by invoking non-public interface methods. Moderate CVE-2015-5041 SUSE bug 960402 SUSE bug 963937 SUSE OpenStack Cloud 5 The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys. Moderate CVE-2015-5143 SUSE bug 937522 SUSE OpenStack Cloud 5 Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator. Moderate CVE-2015-5144 SUSE bug 937523 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. Moderate CVE-2015-5154 SUSE bug 938344 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets. Moderate CVE-2015-5156 SUSE bug 1091815 SUSE bug 1123903 SUSE bug 940776 SUSE bug 945048 SUSE bug 951638 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform mishandles IRET faults in processing NMIs that occurred during userspace execution, which might allow local users to gain privileges by triggering an NMI. Moderate CVE-2015-5157 SUSE bug 937969 SUSE bug 937970 SUSE bug 938706 SUSE bug 939207 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. Moderate CVE-2015-5165 SUSE bug 939712 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice. Moderate CVE-2015-5166 SUSE bug 939709 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3-TERADATA Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. Moderate CVE-2015-5174 SUSE bug 967967 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash). Low CVE-2015-5180 SUSE bug 941234 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The lookupProviders function in providerMgr.c in sblim-sfcb 1.3.4 and 1.3.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty className in a packet. Moderate CVE-2015-5185 SUSE bug 942628 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The log_config_command function in ntp_parser.y in ntpd in NTP before 4.2.7p42 allows remote attackers to cause a denial of service (ntpd crash) via crafted logconfig commands. Low CVE-2015-5194 SUSE bug 943216 SUSE bug 943218 SUSE bug 943219 SUSE bug 943221 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in the jasper_image_stop_load function in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file. Important CVE-2015-5203 SUSE bug 941919 SUSE bug 942553 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not properly perform type conversions from a precision value to a double, which allows remote attackers to cause a denial of service (infinite loop) via a crafted NTP packet. Low CVE-2015-5219 SUSE bug 1010964 SUSE bug 943216 SUSE bug 943218 SUSE bug 943219 SUSE bug 943221 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file. Important CVE-2015-5221 SUSE bug 942553 SUSE OpenStack Cloud 5 OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container. Moderate CVE-2015-5223 SUSE bug 942641 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-5239 SUSE bug 944463 SUSE bug 950367 SUSE OpenStack Cloud 5 Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied. Moderate CVE-2015-5240 SUSE bug 943648 SUSE OpenStack Cloud 5 OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*. Moderate CVE-2015-5251 SUSE bug 945994 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share. Important CVE-2015-5252 SUSE bug 958582 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors. Low CVE-2015-5276 SUSE bug 945842 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-5278 SUSE bug 945989 SUSE bug 964947 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets. Moderate CVE-2015-5279 SUSE bug 945987 SUSE OpenStack Cloud 5 OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623. Moderate CVE-2015-5286 SUSE bug 947735 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt. Moderate CVE-2015-5288 SUSE bug 949669 SUSE bug 949670 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values. Moderate CVE-2015-5289 SUSE bug 949669 SUSE bug 949670 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream, related to clidfs.c, libsmb_server.c, and smbXcli_base.c. Moderate CVE-2015-5296 SUSE bug 1058622 SUSE bug 958584 SUSE bug 973031 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The shadow_copy2_get_shadow_copy_data function in modules/vfs_shadow_copy2.c in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 does not verify that the DIRECTORY_LIST access right has been granted, which allows remote attackers to access snapshots by visiting a shadow copy directory. Moderate CVE-2015-5299 SUSE bug 958583 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The panic_gate check in NTP before 4.2.8p5 is only re-enabled after the first change to the system clock that was greater than 128 milliseconds by default, which allows remote attackers to set NTP to an arbitrary time when started with the -g option, or to alter the time by up to 900 seconds otherwise by responding to an unspecified number of requests from trusted sources, and leveraging a resulting denial of service (abort and restart). Moderate CVE-2015-5300 SUSE bug 951629 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c. Moderate CVE-2015-5307 SUSE bug 953527 SUSE bug 954018 SUSE bug 954404 SUSE bug 954405 SUSE bug 962977 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. Moderate CVE-2015-5312 SUSE bug 1123919 SUSE bug 957105 SUSE bug 959469 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles string lengths, which allows remote attackers to obtain sensitive information from daemon heap memory by sending crafted packets and then reading (1) an error message or (2) a database value. Moderate CVE-2015-5330 SUSE bug 958581 SUSE bug 958586 SUSE Linux Enterprise Server 11 SP3-TERADATA The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. Moderate CVE-2015-5345 SUSE bug 967965 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time window. Moderate CVE-2015-5352 SUSE bug 1074631 SUSE bug 1138392 SUSE bug 936695 SUSE bug 938277 SUSE bug 948086 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood. Moderate CVE-2015-5364 SUSE bug 781018 SUSE bug 936831 SUSE bug 939276 SUSE bug 945112 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows remote attackers to cause a denial of service (EPOLLET epoll application read outage) via an incorrect checksum in a UDP packet, a different vulnerability than CVE-2015-5364. Moderate CVE-2015-5366 SUSE bug 781018 SUSE bug 936831 SUSE bug 939276 SUSE bug 945112 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not properly implement the DCE-RPC layer, which allows remote attackers to perform protocol-downgrade attacks, cause a denial of service (application crash or CPU consumption), or possibly execute arbitrary code on a client system via unspecified vectors. Important CVE-2015-5370 SUSE bug 936862 SUSE bug 975276 SUSE Linux Enterprise Server 11 SP3-TERADATA Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request. Moderate CVE-2015-5400 SUSE bug 938715 SUSE bug 967073 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries. Moderate CVE-2015-5477 SUSE bug 1000362 SUSE bug 939567 SUSE bug 980168 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call. Moderate CVE-2015-5589 SUSE bug 935074 SUSE bug 938721 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value, as demonstrated by mishandling of an e-mail attachment by the imap PHP extension. Moderate CVE-2015-5590 SUSE bug 935074 SUSE bug 938719 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list. Moderate CVE-2015-5600 SUSE bug 1009988 SUSE bug 1074631 SUSE bug 1138392 SUSE bug 938746 SUSE bug 943006 SUSE bug 943007 SUSE bug 943010 SUSE bug 943504 SUSE bug 945985 SUSE bug 948086 SUSE bug 954457 SUSE bug 957883 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet. Moderate CVE-2015-5621 SUSE bug 1111123 SUSE bug 940188 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request. Moderate CVE-2015-5707 SUSE bug 923755 SUSE bug 940338 SUSE bug 940342 SUSE bug 963994 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) by creating a zone containing a malformed DNSSEC key and issuing a query for a name in that zone. Important CVE-2015-5722 SUSE bug 944066 SUSE bug 944107 SUSE bug 954983 SUSE bug 958861 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Low CVE-2015-5745 SUSE bug 940929 SUSE bug 950367 SUSE OpenStack Cloud 5 contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record. Moderate CVE-2015-5963 SUSE bug 941587 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The proto_tree_add_bytes_item function in epan/proto.c in the protocol-tree implementation in Wireshark 1.12.x before 1.12.7 does not properly terminate a data structure after a failure to locate a number within a string, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-6241 SUSE bug 941500 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The wmem_block_split_free_chunk function in epan/wmem/wmem_allocator_block.c in the wmem block allocator in the memory manager in Wireshark 1.12.x before 1.12.7 does not properly consider a certain case of multiple realloc operations that restore a memory chunk to its original size, which allows remote attackers to cause a denial of service (incorrect free operation and application crash) via a crafted packet. Moderate CVE-2015-6242 SUSE bug 941500 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissector-table implementation in epan/packet.c in Wireshark 1.12.x before 1.12.7 mishandles table searches for empty strings, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to the (1) dissector_get_string_handle and (2) dissector_get_default_string_handle functions. Moderate CVE-2015-6243 SUSE bug 941500 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_zbee_secure function in epan/dissectors/packet-zbee-security.c in the ZigBee dissector in Wireshark 1.12.x before 1.12.7 improperly relies on length fields contained in packet data, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-6244 SUSE bug 941500 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-gsm_rlcmac.c in the GSM RLC/MAC dissector in Wireshark 1.12.x before 1.12.7 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Moderate CVE-2015-6245 SUSE bug 941500 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_wa_payload function in epan/dissectors/packet-waveagent.c in the WaveAgent dissector in Wireshark 1.12.x before 1.12.7 mishandles large tag values, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-6246 SUSE bug 941500 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_openflow_tablemod_v5 function in epan/dissectors/packet-openflow_v5.c in the OpenFlow dissector in Wireshark 1.12.x before 1.12.7 does not validate a certain offset value, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Moderate CVE-2015-6247 SUSE bug 941500 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ptvcursor_add function in the ptvcursor implementation in epan/proto.c in Wireshark 1.12.x before 1.12.7 does not check whether the expected amount of data is available, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-6248 SUSE bug 941500 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.12.x before 1.12.7 does not prevent the conflicting use of a table for both IPv4 and IPv6 addresses, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-6249 SUSE bug 941500 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation. Low CVE-2015-6252 SUSE bug 942367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c. Moderate CVE-2015-6563 SUSE bug 1074631 SUSE bug 943006 SUSE bug 943007 SUSE bug 943010 SUSE bug 948086 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request. Moderate CVE-2015-6564 SUSE bug 1074631 SUSE bug 1138392 SUSE bug 942850 SUSE bug 943006 SUSE bug 943007 SUSE bug 943010 SUSE bug 948086 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3-TERADATA The MScrollV function in ansi.c in GNU screen 4.3.1 and earlier does not properly limit recursion, which allows remote attackers to cause a denial of service (stack consumption) via an escape sequence with a large repeat count value. Low CVE-2015-6806 SUSE bug 944458 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Low CVE-2015-6815 SUSE bug 944697 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to execute arbitrary code via vectors involving (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled during unserialization. Moderate CVE-2015-6831 SUSE bug 942291 SUSE bug 942294 SUSE bug 942295 SUSE bug 945188 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call. Moderate CVE-2015-6833 SUSE bug 942296 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 does not properly manage headers, which allows remote attackers to execute arbitrary code via crafted serialized data that triggers a "type confusion" in the serialize_function_call function. Moderate CVE-2015-6836 SUSE bug 945428 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838. Moderate CVE-2015-6837 SUSE bug 945412 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837. Moderate CVE-2015-6838 SUSE bug 945412 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash. Low CVE-2015-6855 SUSE bug 945404 SUSE bug 965156 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 and earlier allows remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against slapd. Important CVE-2015-6908 SUSE bug 945582 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The __rds_conn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. Moderate CVE-2015-6937 SUSE bug 923755 SUSE bug 945825 SUSE bug 952384 SUSE bug 953052 SUSE bug 963994 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The nsAttrAndChildArray::GrowBy function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." Important CVE-2015-7174 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The XULContentSinkImpl::AddText function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." Important CVE-2015-7175 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The AnimationThread function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 uses an incorrect argument to the sscanf function, which might allow remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via unknown vectors. Important CVE-2015-7176 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The InitTextures function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. Important CVE-2015-7177 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadbackResultWriterD3D11::Run function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 misinterprets the return value of a function call, which might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. Important CVE-2015-7180 SUSE bug 947003 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue. Critical CVE-2015-7181 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data. Critical CVE-2015-7182 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. Critical CVE-2015-7183 SUSE bug 952810 SUSE bug 962977 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to bypass the Same Origin Policy for an IP address origin, and conduct cross-site scripting (XSS) attacks, by appending whitespace characters to an IP address string. Moderate CVE-2015-7188 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the JPEGEncoder function in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via vectors involving a CANVAS element and crafted JavaScript code. Moderate CVE-2015-7189 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly follow the CORS cross-origin request algorithm for the POST method in situations involving an unspecified Content-Type header manipulation, which allows remote attackers to bypass the Same Origin Policy by leveraging the lack of a preflight-request step. Moderate CVE-2015-7193 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer underflow in libjar in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ZIP archive. Moderate CVE-2015-7194 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4, when a Java plugin is enabled, allow remote attackers to cause a denial of service (incorrect garbage collection and application crash) or possibly execute arbitrary code via a crafted Java applet that deallocates an in-use JavaScript wrapper. Moderate CVE-2015-7196 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly control the ability of a web worker to create a WebSocket object, which allows remote attackers to bypass intended mixed-content restrictions via crafted JavaScript code. Moderate CVE-2015-7197 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the rx::TextureStorage11 class in ANGLE, as used in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted texture data. Important CVE-2015-7198 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) AddWeightedPathSegLists and (2) SVGPathSegListSMILType::Interpolate functions in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 lack status checking, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted SVG document. Critical CVE-2015-7199 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The CryptoKey interface implementation in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 lacks status checking, which allows attackers to have an unspecified impact via vectors related to a cryptographic key. Critical CVE-2015-7200 SUSE bug 952810 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-7201 SUSE bug 959277 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 43.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2015-7202 SUSE bug 959277 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the RTPReceiverVideo::ParseRtpPacket function in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 might allow remote attackers to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a crafted WebRTC RTP packet. Moderate CVE-2015-7205 SUSE bug 959277 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code by triggering attempted use of a data channel that has been closed by a WebRTC function. Important CVE-2015-7210 SUSE bug 959277 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the mozilla::layers::BufferTextureClient::AllocateForSurface function in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code by triggering a graphics operation that requires a large texture allocation. Moderate CVE-2015-7212 SUSE bug 959277 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the MPEG4Extractor::readMetaData function in MPEG4Extractor.cpp in libstagefright in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 on 64-bit platforms allows remote attackers to execute arbitrary code via a crafted MP4 video file that triggers a buffer overflow. Moderate CVE-2015-7213 SUSE bug 959277 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs. Moderate CVE-2015-7214 SUSE bug 959277 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the Metadata::setData function in MetaData.cpp in libstagefright in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect memory allocation and application crash) via an MP4 video file with crafted covr metadata that triggers a buffer overflow. Moderate CVE-2015-7222 SUSE bug 959277 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code. Important CVE-2015-7236 SUSE bug 940191 SUSE bug 946204 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface. Moderate CVE-2015-7295 SUSE bug 947159 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image. Low CVE-2015-7311 SUSE bug 947165 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. Moderate CVE-2015-7497 SUSE bug 1123919 SUSE bug 957106 SUSE bug 959469 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. Moderate CVE-2015-7498 SUSE bug 1123919 SUSE bug 957107 SUSE bug 959469 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. Moderate CVE-2015-7499 SUSE bug 1123919 SUSE bug 957109 SUSE bug 959469 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. Moderate CVE-2015-7500 SUSE bug 1123919 SUSE bug 957110 SUSE bug 959469 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. Moderate CVE-2015-7504 SUSE bug 956411 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015. Moderate CVE-2015-7509 SUSE bug 956707 SUSE bug 956709 SUSE bug 956766 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. Important CVE-2015-7512 SUSE bug 957162 SUSE bug 962360 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 arch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the PIT counter values during state restoration, which allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions. Moderate CVE-2015-7513 SUSE bug 960689 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel before 4.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device that lacks endpoints. Moderate CVE-2015-7515 SUSE bug 956708 SUSE Linux Enterprise Server 11 SP3-TERADATA aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create temporary directories, which allows local users to hijack the IPC by pre-creating the temporary directory. Moderate CVE-2015-7543 SUSE bug 958347 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module. Important CVE-2015-7547 SUSE bug 1077097 SUSE bug 847227 SUSE bug 961721 SUSE bug 967023 SUSE bug 967061 SUSE bug 967072 SUSE bug 967496 SUSE bug 969216 SUSE bug 969241 SUSE bug 986086 SUSE OpenStack Cloud 5 OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot. Moderate CVE-2015-7548 SUSE bug 960601 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method. Low CVE-2015-7549 SUSE bug 958917 SUSE bug 958918 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls. Moderate CVE-2015-7550 SUSE bug 1052256 SUSE bug 958951 SUSE Linux Enterprise Server 11 SP3-TERADATA The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression. Moderate CVE-2015-7551 SUSE bug 939860 SUSE bug 959495 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file. Moderate CVE-2015-7552 SUSE bug 958963 SUSE Linux Enterprise Server 11 SP3-TERADATA The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image. Important CVE-2015-7554 SUSE bug 1007276 SUSE bug 1017690 SUSE bug 1040322 SUSE bug 960341 SUSE bug 974621 SUSE bug 983436 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in giffix.c in giffix in giflib 5.1.1 allows attackers to cause a denial of service (program crash) via crafted image and logical screen width fields in a GIF file. Moderate CVE-2015-7555 SUSE bug 960319 SUSE Linux Enterprise Server 11 SP3-TERADATA The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content. Moderate CVE-2015-7560 SUSE bug 968222 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint. Low CVE-2015-7566 SUSE bug 961512 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision. Moderate CVE-2015-7575 SUSE bug 959888 SUSE bug 960402 SUSE bug 960996 SUSE bug 961280 SUSE bug 961281 SUSE bug 961282 SUSE bug 961283 SUSE bug 961284 SUSE bug 961290 SUSE bug 961357 SUSE bug 962743 SUSE bug 963937 SUSE bug 967521 SUSE bug 981087 SUSE OpenStack Cloud 5 The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. Moderate CVE-2015-7576 SUSE bug 963329 SUSE bug 970715 SUSE OpenStack Cloud 5 activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. Moderate CVE-2015-7577 SUSE bug 963330 SUSE OpenStack Cloud 5 actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route. Important CVE-2015-7581 SUSE bug 963335 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the pixops_scale_nearest function in pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted GIF image file, which triggers a heap-based buffer overflow. Moderate CVE-2015-7674 SUSE bug 948791 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted packets containing particular autokey operations. NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750. Important CVE-2015-7691 SUSE bug 1010964 SUSE bug 911792 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750. Important CVE-2015-7692 SUSE bug 1010964 SUSE bug 911792 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-TERADATA Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value. Moderate CVE-2015-7696 SUSE bug 950110 SUSE Linux Enterprise Server 11 SP3-TERADATA Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive. Moderate CVE-2015-7697 SUSE bug 950110 SUSE bug 950111 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory leak in the CRYPTO_ASSOC function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (memory consumption). Moderate CVE-2015-7701 SUSE bug 1010964 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750. Important CVE-2015-7702 SUSE bug 1010964 SUSE bug 911792 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of the remote configuration password to write to arbitrary files via the :config command. Moderate CVE-2015-7703 SUSE bug 1010964 SUSE bug 943216 SUSE bug 943218 SUSE bug 943219 SUSE bug 943221 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service via a number of crafted "KOD" messages. Moderate CVE-2015-7704 SUSE bug 1010964 SUSE bug 951608 SUSE bug 952611 SUSE bug 959243 SUSE bug 977446 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to have unspecified impact via a large number of crafted requests. Moderate CVE-2015-7705 SUSE bug 1010964 SUSE bug 951608 SUSE bug 952611 SUSE bug 959243 SUSE OpenStack Cloud 5 OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made. Moderate CVE-2015-7713 SUSE bug 949070 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, aka a Lenstra attack. Moderate CVE-2015-7744 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call. Low CVE-2015-7799 SUSE bug 1052256 SUSE bug 949936 SUSE bug 951638 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that does not exist. Moderate CVE-2015-7803 SUSE bug 949961 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file. Moderate CVE-2015-7805 SUSE bug 953516 SUSE bug 953519 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The pcapng_read_if_descr_block function in wiretap/pcapng.c in the pcapng parser in Wireshark 1.12.x before 1.12.8 uses too many levels of pointer indirection, which allows remote attackers to cause a denial of service (incorrect free and application crash) via a crafted packet that triggers interface-filter copying. Moderate CVE-2015-7830 SUSE bug 950437 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor. Moderate CVE-2015-7833 SUSE bug 950998 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping. Important CVE-2015-7835 SUSE bug 940929 SUSE bug 947159 SUSE bug 950367 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An integer overflow can occur in NTP-dev.4.3.70 leading to an out-of-bounds memory copy operation when processing a specially crafted private mode packet. The crafted packet needs to have the correct message authentication code and a valid timestamp. When processed by the NTP daemon, it leads to an immediate crash. Moderate CVE-2015-7848 SUSE bug 1010964 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to possibly execute arbitrary code or cause a denial of service (crash) via crafted packets. Moderate CVE-2015-7849 SUSE bug 1010964 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (infinite loop or crash) by pointing the key file at the log file. Moderate CVE-2015-7850 SUSE bug 1010964 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-7851 SUSE bug 1010964 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets. Moderate CVE-2015-7852 SUSE bug 1010964 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The datalen parameter in the refclock driver in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a negative input value. Moderate CVE-2015-7853 SUSE bug 1010964 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Buffer overflow in the password management functionality in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted key file. Moderate CVE-2015-7854 SUSE bug 1010964 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (assertion failure) via a 6 or mode 7 packet containing a long data value. Moderate CVE-2015-7855 SUSE bug 1010964 SUSE bug 951608 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to bypass authentication. Moderate CVE-2015-7871 SUSE bug 1010964 SUSE bug 951608 SUSE bug 952606 SUSE bug 959243 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands. Important CVE-2015-7872 SUSE bug 951440 SUSE bug 951542 SUSE bug 951638 SUSE bug 958463 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities. Low CVE-2015-7941 SUSE bug 1123919 SUSE bug 951734 SUSE bug 951735 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941. Low CVE-2015-7942 SUSE bug 1123919 SUSE bug 951735 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of "teardowns" of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall. Moderate CVE-2015-7969 SUSE bug 950703 SUSE bug 950705 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a "time-consuming linear scan," related to Populate-on-Demand. Moderate CVE-2015-7970 SUSE bug 950704 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c. Moderate CVE-2015-7971 SUSE bug 950706 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to "heavy memory pressure." Moderate CVE-2015-7972 SUSE bug 950704 SUSE bug 951845 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network. Moderate CVE-2015-7973 SUSE bug 959243 SUSE bug 962995 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." Low CVE-2015-7974 SUSE bug 959243 SUSE bug 962960 SUSE bug 962995 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The nextvar function in NTP before 4.2.8p6 and 4.3.x before 4.3.90 does not properly validate the length of its input, which allows an attacker to cause a denial of service (application crash). Low CVE-2015-7975 SUSE bug 959243 SUSE bug 962988 SUSE bug 962995 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename. Low CVE-2015-7976 SUSE bug 962802 SUSE bug 962995 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command. Moderate CVE-2015-7977 SUSE bug 959243 SUSE bug 962970 SUSE bug 962995 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list. Moderate CVE-2015-7978 SUSE bug 959243 SUSE bug 962970 SUSE bug 962995 SUSE bug 963000 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (client-server association tear down) by sending broadcast packets with invalid authentication to a broadcast client. Moderate CVE-2015-7979 SUSE bug 959243 SUSE bug 962784 SUSE bug 962995 SUSE bug 977459 SUSE bug 982065 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read. Moderate CVE-2015-7981 SUSE bug 952051 SUSE bug 960402 SUSE bug 963937 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel before 4.3.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6937. Low CVE-2015-7990 SUSE bug 945825 SUSE bug 952384 SUSE bug 953052 SUSE Linux Enterprise Server 11 SP3-TERADATA The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a "type confusion" issue. Low CVE-2015-7995 SUSE bug 1123130 SUSE bug 952474 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA db.c in named in ISC BIND 9.x before 9.9.8-P2 and 9.10.x before 9.10.3-P2 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a malformed class attribute. Moderate CVE-2015-8000 SUSE bug 944066 SUSE bug 958861 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message. Important CVE-2015-8023 SUSE bug 953817 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors. Moderate CVE-2015-8025 SUSE bug 952062 SUSE Linux Enterprise Server 11 SP3-TERADATA The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before 2.3.19, 2.4.x before 2.4.18, 2.5.x before 2.5.4 allows remote attackers to obtain sensitive information or possibly have unspecified other impact via vectors related to the urlfetch range, which triggers an out-of-bounds heap read. Moderate CVE-2015-8076 SUSE bug 954200 SUSE bug 954201 SUSE bug 981670 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the index_urlfetch function in imap/index.c in Cyrus IMAP 2.3.19, 2.4.18, and 2.5.6 allows remote attackers to have unspecified impact via vectors related to urlfetch range checks and the start_octet variable. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8076. Moderate CVE-2015-8077 SUSE bug 954200 SUSE bug 954201 SUSE bug 981670 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the index_urlfetch function in imap/index.c in Cyrus IMAP 2.3.19, 2.4.18, and 2.5.6 allows remote attackers to have unspecified impact via vectors related to urlfetch range checks and the section_offset variable. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8076. Moderate CVE-2015-8078 SUSE bug 954201 SUSE bug 981670 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c. Moderate CVE-2015-8104 SUSE bug 953527 SUSE bug 954018 SUSE bug 954404 SUSE bug 954405 SUSE bug 962977 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. Moderate CVE-2015-8126 SUSE bug 954980 SUSE bug 958198 SUSE bug 960402 SUSE bug 962743 SUSE bug 963937 SUSE bug 969333 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero. Moderate CVE-2015-8138 SUSE bug 951608 SUSE bug 959243 SUSE bug 963002 SUSE bug 974668 SUSE bug 977446 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors. Moderate CVE-2015-8139 SUSE bug 1010964 SUSE bug 959243 SUSE bug 962997 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to conduct replay attacks by sniffing the network. Moderate CVE-2015-8140 SUSE bug 1010964 SUSE bug 959243 SUSE bug 962994 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (infinite loop) via crafted packets with incorrect values. Low CVE-2015-8158 SUSE bug 959243 SUSE bug 962966 SUSE OpenStack Cloud 5 The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY. Moderate CVE-2015-8213 SUSE bug 955412 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager product. Moderate CVE-2015-8215 SUSE bug 1052256 SUSE bug 944296 SUSE bug 951638 SUSE bug 955354 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. Moderate CVE-2015-8241 SUSE bug 1123919 SUSE bug 956018 SUSE bug 959469 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. Moderate CVE-2015-8242 SUSE bug 1123919 SUSE bug 956021 SUSE bug 959469 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2015-8313 SUSE bug 957568 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read. Moderate CVE-2015-8317 SUSE bug 1123919 SUSE bug 956260 SUSE bug 959469 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable. Moderate CVE-2015-8325 SUSE bug 1016709 SUSE bug 1138392 SUSE bug 975865 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-filters 1.0.42 before 1.2.0 and in foomatic-filters in Foomatic 4.0.x allows remote attackers to execute arbitrary commands via ` (backtick) characters in a print job. Moderate CVE-2015-8327 SUSE bug 1027197 SUSE bug 957531 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown. Moderate CVE-2015-8339 SUSE bug 956408 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling. Moderate CVE-2015-8340 SUSE bug 956408 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains. Moderate CVE-2015-8341 SUSE bug 956409 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list. Moderate CVE-2015-8345 SUSE bug 956829 SUSE bug 956832 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error. Moderate CVE-2015-8370 SUSE bug 956631 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126. Moderate CVE-2015-8472 SUSE bug 954980 SUSE bug 958198 SUSE bug 960402 SUSE bug 963937 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client. Moderate CVE-2015-8504 SUSE bug 958491 SUSE bug 958493 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The KEYS subsystem in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c. Important CVE-2015-8539 SUSE bug 781018 SUSE bug 958463 SUSE bug 958601 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read. Moderate CVE-2015-8540 SUSE bug 1149680 SUSE bug 958791 SUSE bug 963937 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. Moderate CVE-2015-8543 SUSE bug 1052256 SUSE bug 923755 SUSE bug 958886 SUSE bug 963994 SUSE bug 969522 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability. Important CVE-2015-8550 SUSE bug 1052256 SUSE bug 957988 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity checks." Moderate CVE-2015-8551 SUSE bug 957990 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks." Moderate CVE-2015-8552 SUSE bug 957990 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a "write path." Moderate CVE-2015-8554 SUSE bug 958007 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors. Low CVE-2015-8555 SUSE bug 958009 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list. Low CVE-2015-8558 SUSE bug 959005 SUSE bug 959006 SUSE bug 976109 SUSE bug 976111 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-filters 1.0.42 before 1.4.0 and in foomatic-filters in Foomatic 4.0.x allows remote attackers to execute arbitrary commands via a ; (semicolon) character in a print job, a different vulnerability than CVE-2015-8327. Moderate CVE-2015-8560 SUSE bug 1027197 SUSE bug 957531 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application. Low CVE-2015-8569 SUSE bug 923755 SUSE bug 959190 SUSE bug 959399 SUSE bug 963994 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel before 4.3.4 does not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application. Moderate CVE-2015-8575 SUSE bug 959190 SUSE bug 959399 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet. Moderate CVE-2015-8605 SUSE bug 961305 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command. Low CVE-2015-8613 SUSE bug 961358 SUSE bug 961556 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash). Low CVE-2015-8619 SUSE bug 960334 SUSE bug 965269 SUSE Linux Enterprise Server 11 SP3-TERADATA The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string. Low CVE-2015-8629 SUSE bug 770172 SUSE bug 963968 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory consumption) via a request specifying a NULL principal name. Moderate CVE-2015-8631 SUSE bug 963975 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image. Moderate CVE-2015-8668 SUSE bug 1014461 SUSE bug 960589 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA apl_42.c in ISC BIND 9.x before 9.9.8-P3, 9.9.x, and 9.10.x before 9.10.3-P3 allows remote authenticated users to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed Address Prefix List (APL) record. Moderate CVE-2015-8704 SUSE bug 962189 SUSE bug 962190 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment. Moderate CVE-2015-8710 SUSE bug 1123919 SUSE bug 960674 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate conversation data, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet. Moderate CVE-2015-8711 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_hsdsch_channel_info function in epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.9 does not validate the number of PDUs, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-8712 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.9 does not properly reserve memory for channel ID mappings, which allows remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted packet. Moderate CVE-2015-8713 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_dcom_OBJREF function in epan/dissectors/packet-dcom.c in the DCOM dissector in Wireshark 1.12.x before 1.12.9 does not initialize a certain IPv4 data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-8714 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-alljoyn.c in the AllJoyn dissector in Wireshark 1.12.x before 1.12.9 does not check for empty arguments, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Moderate CVE-2015-8715 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The init_t38_info_conv function in epan/dissectors/packet-t38.c in the T.38 dissector in Wireshark 1.12.x before 1.12.9 does not ensure that a conversation exists, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-8716 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_sdp function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.12.x before 1.12.9 does not prevent use of a negative media count, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-8717 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in epan/dissectors/packet-nlm.c in the NLM dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1, when the "Match MSG/RES packets for async NLM" option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-8718 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_dns_answer function in epan/dissectors/packet-dns.c in the DNS dissector in Wireshark 1.12.x before 1.12.9 mishandles the EDNS0 Client Subnet option, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-8719 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_ber_GeneralizedTime function in epan/dissectors/packet-ber.c in the BER dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 improperly checks an sscanf return value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2015-8720 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the tvb_uncompress function in epan/tvbuff_zlib.c in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet with zlib compression. Moderate CVE-2015-8721 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-sctp.c in the SCTP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the frame pointer, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet. Moderate CVE-2015-8722 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The AirPDcapPacketProcess function in epan/crypt/airpdcap.c in the 802.11 dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the relationship between the total length and the capture length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet. Moderate CVE-2015-8723 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The AirPDcapDecryptWPABroadcastKey function in epan/crypt/airpdcap.c in the 802.11 dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not verify the WPA broadcast key length, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. Moderate CVE-2015-8724 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_diameter_base_framed_ipv6_prefix function in epan/dissectors/packet-diameter.c in the DIAMETER dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the IPv6 prefix length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet. Moderate CVE-2015-8725 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA wiretap/vwr.c in the VeriWave file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate certain signature and Modulation and Coding Scheme (MCS) data, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file. Moderate CVE-2015-8726 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_rsvp_common function in epan/dissectors/packet-rsvp.c in the RSVP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not properly maintain request-key data, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet. Moderate CVE-2015-8727 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The Mobile Identity parser in (1) epan/dissectors/packet-ansi_a.c in the ANSI A dissector and (2) epan/dissectors/packet-gsm_a_common.c in the GSM A dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 improperly uses the tvb_bcd_dig_to_wmem_packet_str function, which allows remote attackers to cause a denial of service (buffer overflow and application crash) via a crafted packet. Moderate CVE-2015-8728 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ascend_seek function in wiretap/ascendtext.c in the Ascend file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not ensure the presence of a '\0' character at the end of a date string, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file. Moderate CVE-2015-8729 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the number of items, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted packet. Moderate CVE-2015-8730 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c in the RSL dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not reject unknown TLV types, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. Moderate CVE-2015-8731 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_zcl_pwr_prof_pwrprofstatersp function in epan/dissectors/packet-zbee-zcl-general.c in the ZigBee ZCL dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the Total Profile Number field, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. Moderate CVE-2015-8732 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ngsniffer_process_record function in wiretap/ngsniffer.c in the Sniffer file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the relationships between record lengths and record header lengths, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file. Moderate CVE-2015-8733 SUSE bug 960382 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes. Moderate CVE-2015-8743 SUSE bug 960725 SUSE bug 960726 SUSE Linux Enterprise Server 11 SP3-LTSS QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS. Low CVE-2015-8745 SUSE bug 960707 SUSE bug 960708 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not properly manage the relationship between a lock and a socket, which allows local users to cause a denial of service (deadlock) via a crafted sctp_accept call. Low CVE-2015-8767 SUSE bug 961509 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value. Low CVE-2015-8776 SUSE bug 962736 SUSE bug 986086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. Low CVE-2015-8777 SUSE bug 950944 SUSE bug 962735 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access. Low CVE-2015-8778 SUSE bug 962737 SUSE bug 986086 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name. Moderate CVE-2015-8779 SUSE bug 962739 SUSE bug 965453 SUSE bug 986086 SUSE Linux Enterprise Server 11 SP3-TERADATA tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782. Moderate CVE-2015-8781 SUSE bug 964213 SUSE bug 964225 SUSE Linux Enterprise Server 11 SP3-TERADATA tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781. Moderate CVE-2015-8782 SUSE bug 964213 SUSE bug 964225 SUSE Linux Enterprise Server 11 SP3-TERADATA tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image. Moderate CVE-2015-8783 SUSE bug 964213 SUSE bug 964225 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel before 4.4 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov. Low CVE-2015-8785 SUSE bug 963765 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "<!DOCTYPE html" substring in a crafted HTML document. Moderate CVE-2015-8806 SUSE bug 963963 SUSE bug 965283 SUSE bug 981114 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets. Moderate CVE-2015-8812 SUSE bug 966437 SUSE bug 966683 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device. Moderate CVE-2015-8816 SUSE bug 968010 SUSE bug 979064 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c. Moderate CVE-2015-8835 SUSE bug 973351 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152. Moderate CVE-2015-8838 SUSE bug 973792 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80." Moderate CVE-2015-8853 SUSE bug 976584 SUSE bug 997948 SUSE bug 997950 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161. Moderate CVE-2015-8866 SUSE bug 976996 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors. Moderate CVE-2015-8867 SUSE bug 977005 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the ExponentialFunction::ExponentialFunction function in Poppler before 0.40.0 allows remote attackers to cause a denial of service (memory corruption and crash) or possibly execute arbitrary code via an invalid blend mode in the ExtGState dictionary in a crafted PDF document. Moderate CVE-2015-8868 SUSE bug 976844 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process memory, via crafted width and length values in RLE4 or RLE8 data in a BMP file. Moderate CVE-2015-8870 SUSE bug 1014461 SUSE bug 1150480 SUSE Linux Enterprise Server 11 SP3-TERADATA The set_fat function in fat.c in dosfstools before 4.0 might allow attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an "off-by-two error." Moderate CVE-2015-8872 SUSE bug 980364 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (segmentation fault) via recursive method calls. Moderate CVE-2015-8873 SUSE bug 980366 SUSE bug 980373 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. Moderate CVE-2015-8874 SUSE bug 980366 SUSE bug 980375 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table. Moderate CVE-2015-8879 SUSE bug 981050 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in coders/tga.c in ImageMagick 7.0.0 and later allows remote attackers to cause a denial of service (application crash) via a crafted tga file. Moderate CVE-2015-8894 SUSE bug 982969 SUSE bug 983523 SUSE bug 983533 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer truncation issue in coders/pict.c in ImageMagick before 7.0.5-0 allows remote attackers to cause a denial of service (application crash) via a crafted .pict file. Moderate CVE-2015-8896 SUSE bug 982969 SUSE bug 983533 SUSE Linux Enterprise Server 11 SP3-TERADATA The SpliceImage function in MagickCore/transform.c in ImageMagick before 6.9.2-4 allows remote attackers to cause a denial of service (application crash) via a crafted png file. Moderate CVE-2015-8897 SUSE bug 982969 SUSE bug 983739 SUSE bug 983746 SUSE Linux Enterprise Server 11 SP3-TERADATA The WriteImages function in magick/constitute.c in ImageMagick before 6.9.2-4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image file. Moderate CVE-2015-8898 SUSE bug 982969 SUSE bug 983739 SUSE bug 983746 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally. Moderate CVE-2015-8899 SUSE bug 983273 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted MIFF file. Moderate CVE-2015-8901 SUSE bug 983234 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadBlobByte function in coders/pdb.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted PDB file. Moderate CVE-2015-8902 SUSE bug 1052711 SUSE bug 983253 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadVICARImage function in coders/vicar.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted VICAR file. Important CVE-2015-8903 SUSE bug 983259 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The archive_string_append function in archive_string.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted cab files, related to "overlapping memcpy." Moderate CVE-2015-8918 SUSE bug 985698 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file. Moderate CVE-2015-8920 SUSE bug 985675 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file. Moderate CVE-2015-8921 SUSE bug 985682 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file. Moderate CVE-2015-8924 SUSE bug 985609 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file. Moderate CVE-2015-8929 SUSE bug 985669 SUSE Linux Enterprise Server 11 SP3-TERADATA The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function. Moderate CVE-2015-8935 SUSE bug 986004 SUSE Linux Enterprise Server 11 SP3-TERADATA Cross-site scripting (XSS) vulnerability in squidGuard.cgi in squidGuard before 1.5 allows remote attackers to inject arbitrary web script or HTML via a blocked site link. Moderate CVE-2015-8936 SUSE bug 1040287 SUSE bug 985612 SUSE Linux Enterprise Server 11 SP3-TERADATA idn in GNU libidn before 1.33 might allow remote attackers to obtain sensitive memory information by reading a zero byte as input, which triggers an out-of-bounds read. Low CVE-2015-8948 SUSE bug 1014473 SUSE bug 990189 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. Moderate CVE-2015-8956 SUSE bug 1003925 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in ImageMagick before 6.9.0-4 Beta allows remote attackers to cause a denial of service (application crash) via a crafted SUN file. Moderate CVE-2015-8957 SUSE bug 1000690 SUSE bug 1000691 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/sun.c in ImageMagick before 6.9.0-4 Beta allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted SUN file. Moderate CVE-2015-8958 SUSE bug 1000690 SUSE bug 1000691 SUSE bug 1000694 SUSE bug 1028079 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/dds.c in ImageMagick before 6.9.0-4 Beta allows remote attackers to cause a denial of service (CPU consumption) via a crafted DDS file. Moderate CVE-2015-8959 SUSE bug 1000713 SUSE bug 1074610 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call. Important CVE-2015-8962 SUSE bug 1010501 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel before 4.5 allows local users to obtain sensitive information from kernel memory by reading a tty data structure. Moderate CVE-2015-8964 SUSE bug 1010507 SUSE bug 1025354 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c. Moderate CVE-2015-8970 SUSE bug 1008374 SUSE bug 1008850 SUSE Linux Enterprise Server 11 SP3-TERADATA In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs. Moderate CVE-2015-9019 SUSE bug 1123130 SUSE bug 934119 SUSE Linux Enterprise Server 11 SP3-TERADATA _XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow. Moderate CVE-2015-9262 SUSE bug 1103511 SUSE bug 1123801 SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23. Important CVE-2015-9289 SUSE bug 1143179 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Buffer overflow in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) allows remote attackers to execute arbitrary code via unspecified vectors. Moderate CVE-2016-0264 SUSE bug 977648 SUSE bug 979252 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) uses the invoke method of the java.lang.reflect.Method class in an AccessController doPrivileged block, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to a Proxy object instance implementing the java.lang.reflect.InvocationHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3009. Important CVE-2016-0363 SUSE bug 977650 SUSE bug 979252 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The com.ibm.rmi.io.SunSerializableFactory class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) does not properly deserialize classes in an AccessController doPrivileged block, which allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code as demonstrated by the readValue method of the com.ibm.rmi.io.ValueHandlerPool.ValueHandlerSingleton class, which implements the javax.rmi.CORBA.ValueHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-5456. Important CVE-2016-0376 SUSE bug 977646 SUSE bug 977650 SUSE bug 979252 SUSE bug 981057 SUSE bug 981060 SUSE bug 981087 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect integrity via unknown vectors related to Networking. Important CVE-2016-0402 SUSE bug 960402 SUSE bug 962743 SUSE bug 963937 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX. Important CVE-2016-0448 SUSE bug 960402 SUSE bug 962743 SUSE bug 963937 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit components in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect availability via vectors related to JAXP. Important CVE-2016-0466 SUSE bug 960402 SUSE bug 962743 SUSE bug 963937 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a heap-based buffer overflow in the readImage function, which allows remote attackers to execute arbitrary code via crafted image data. Important CVE-2016-0483 SUSE bug 960402 SUSE bug 962743 SUSE bug 963937 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. Important CVE-2016-0494 SUSE bug 962743 SUSE bug 963937 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. Moderate CVE-2016-0502 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options. Moderate CVE-2016-0505 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that these are multiple buffer overflows in the mysqlshow tool that allow remote database servers to have unspecified impact via a long table or database name. Important CVE-2016-0546 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. Moderate CVE-2016-0596 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. Moderate CVE-2016-0597 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. Moderate CVE-2016-0598 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to InnoDB. Moderate CVE-2016-0600 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect integrity via unknown vectors related to encryption. Moderate CVE-2016-0606 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to UDF. Moderate CVE-2016-0608 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to privileges. Moderate CVE-2016-0609 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. Moderate CVE-2016-0616 SUSE bug 962779 SUSE bug 962817 SUSE bug 962930 SUSE bug 962931 SUSE bug 962932 SUSE bug 962934 SUSE bug 962935 SUSE bug 962936 SUSE bug 962937 SUSE bug 962938 SUSE bug 962939 SUSE bug 962941 SUSE bug 962942 SUSE bug 962943 SUSE bug 962944 SUSE bug 962945 SUSE bug 962946 SUSE bug 962947 SUSE bug 962948 SUSE bug 962949 SUSE bug 962950 SUSE bug 962951 SUSE bug 962952 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA The expansion of '\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine. Moderate CVE-2016-0634 SUSE bug 1000396 SUSE bug 1001299 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect integrity and availability via vectors related to DML. Critical CVE-2016-0640 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect confidentiality and availability via vectors related to MyISAM. Critical CVE-2016-0641 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated. Critical CVE-2016-0642 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect confidentiality via vectors related to DML. Critical CVE-2016-0643 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DDL. Critical CVE-2016-0644 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DML. Critical CVE-2016-0646 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to FTS. Critical CVE-2016-0647 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to PS. Critical CVE-2016-0648 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to PS. Critical CVE-2016-0649 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to Replication. Critical CVE-2016-0650 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer. Critical CVE-2016-0651 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to Security: Privileges. Critical CVE-2016-0666 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. Important CVE-2016-0686 SUSE bug 976340 SUSE bug 979252 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub-component. Important CVE-2016-0687 SUSE bug 976340 SUSE bug 979252 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack. Moderate CVE-2016-0702 SUSE bug 1007806 SUSE bug 968044 SUSE bug 968050 SUSE bug 971238 SUSE bug 990370 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800. Moderate CVE-2016-0703 SUSE bug 968044 SUSE bug 968046 SUSE bug 968051 SUSE bug 986238 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key. Critical CVE-2016-0705 SUSE bug 968044 SUSE bug 968047 SUSE bug 971238 SUSE bug 976341 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. Moderate CVE-2016-0706 SUSE bug 967815 SUSE bug 988489 SUSE Linux Enterprise Server 11 SP3-TERADATA The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. Important CVE-2016-0714 SUSE bug 967964 SUSE Linux Enterprise Server 11 SP3-TERADATA Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. Critical CVE-2016-0718 SUSE bug 979441 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call. Moderate CVE-2016-0723 SUSE bug 961500 SUSE OpenStack Cloud 5 Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file. Moderate CVE-2016-0740 SUSE bug 965579 SUSE bug 965582 SUSE OpenStack Cloud 5 actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. Important CVE-2016-0751 SUSE bug 963331 SUSE OpenStack Cloud 5 Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. Important CVE-2016-0752 SUSE bug 963332 SUSE bug 968850 SUSE OpenStack Cloud 5 Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters. Moderate CVE-2016-0753 SUSE bug 963334 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. Moderate CVE-2016-0755 SUSE bug 962983 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in lib/asn1_decoder.c in the Linux kernel before 4.6 allows local users to gain privileges via crafted ASN.1 data. Important CVE-2016-0758 SUSE bug 979867 SUSE bug 980856 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. Low CVE-2016-0762 SUSE bug 1007854 SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors. Important CVE-2016-0766 SUSE bug 966435 SUSE bug 966436 SUSE bug 978323 SUSE Linux Enterprise Server 11 SP3-TERADATA The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." Moderate CVE-2016-0772 SUSE bug 984751 SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression. Important CVE-2016-0773 SUSE bug 966435 SUSE bug 966436 SUSE bug 978323 SUSE bug 983246 SUSE bug 986409 SUSE OpenStack Cloud 5 Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file. Moderate CVE-2016-0775 SUSE bug 965579 SUSE bug 965582 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. Critical CVE-2016-0777 SUSE bug 1087412 SUSE bug 961642 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings. Important CVE-2016-0778 SUSE bug 1087412 SUSE bug 961645 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3-TERADATA The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug." Moderate CVE-2016-0787 SUSE bug 1149968 SUSE bug 967026 SUSE bug 968174 SUSE bug 974691 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c. Important CVE-2016-0797 SUSE bug 968044 SUSE bug 968048 SUSE bug 990370 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842. Critical CVE-2016-0799 SUSE bug 968044 SUSE bug 968374 SUSE bug 969517 SUSE bug 989345 SUSE bug 990370 SUSE bug 991722 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack. Moderate CVE-2016-0800 SUSE bug 1106871 SUSE bug 961377 SUSE bug 968044 SUSE bug 968046 SUSE bug 968888 SUSE bug 979060 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allows local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721. Moderate CVE-2016-0823 SUSE bug 994759 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution Critical CVE-2016-1000031 SUSE bug 1128963 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2016-1000110 SUSE bug 988484 SUSE bug 989523 SUSE Linux Enterprise Server 11 SP3-TERADATA Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information. Moderate CVE-2016-10002 SUSE bug 1016168 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. Moderate CVE-2016-10009 SUSE bug 1016336 SUSE bug 1016366 SUSE bug 1016370 SUSE bug 1017555 SUSE bug 1017870 SUSE bug 1021751 SUSE bug 1025354 SUSE bug 1026634 SUSE bug 1087412 SUSE bug 1138392 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process. Moderate CVE-2016-10011 SUSE bug 1016336 SUSE bug 1016369 SUSE bug 1016370 SUSE bug 1017870 SUSE bug 1025354 SUSE bug 1026634 SUSE bug 1087412 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures. Moderate CVE-2016-10012 SUSE bug 1006166 SUSE bug 1016369 SUSE bug 1016370 SUSE bug 1017870 SUSE bug 1021751 SUSE bug 1025354 SUSE bug 1026634 SUSE bug 1034031 SUSE bug 1035742 SUSE bug 1073044 SUSE bug 1090629 SUSE bug 1092582 SUSE bug 1093652 SUSE bug 1138392 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain privileges by leveraging mishandling of SYSCALL singlestep during emulation. Important CVE-2016-10013 SUSE bug 1016340 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations. Moderate CVE-2016-10024 SUSE bug 1014298 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the DrawImage function in magick/draw.c in ImageMagick before 6.9.5-5 allows remote attackers to cause a denial of service (application crash) via a crafted image file. Moderate CVE-2016-10046 SUSE bug 1016742 SUSE bug 1017308 SUSE Linux Enterprise Server 11 SP3-TERADATA Directory traversal vulnerability in magick/module.c in ImageMagick 6.9.4-7 allows remote attackers to load arbitrary modules via unspecified vectors. Moderate CVE-2016-10048 SUSE bug 1017310 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the ReadRLEImage function in coders/rle.c in ImageMagick before 6.9.4-4 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted RLE file. Moderate CVE-2016-10049 SUSE bug 1017311 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the ReadRLEImage function in coders/rle.c in ImageMagick 6.9.4-8 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted RLE file. Moderate CVE-2016-10050 SUSE bug 1017312 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the ReadPWPImage function in coders/pwp.c in ImageMagick 6.9.5-5 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file. Moderate CVE-2016-10051 SUSE bug 1017313 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the WriteProfile function in coders/jpeg.c in ImageMagick before 6.9.5-6 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file. Moderate CVE-2016-10052 SUSE bug 1017314 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in coders/tiff.c in ImageMagick before 6.9.4-1 allows remote attackers to cause a denial of service (application crash) or have unspecified other impact via a crafted TIFF file. Moderate CVE-2016-10059 SUSE bug 1017318 SUSE Linux Enterprise Server 11 SP3-TERADATA The ConcatenateImages function in MagickWand/magick-cli.c in ImageMagick before 7.0.1-10 does not check the return value of the fputc function, which allows remote attackers to cause a denial of service (application crash) via a crafted file. Low CVE-2016-10060 SUSE bug 1017319 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in coders/tiff.c in ImageMagick before 6.9.5-1 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file, related to extend validity. Moderate CVE-2016-10063 SUSE bug 1016589 SUSE bug 1017320 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in coders/tiff.c in ImageMagick before 6.9.5-1 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file. Low CVE-2016-10064 SUSE bug 1016590 SUSE bug 1017321 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadVIFFImage function in coders/viff.c in ImageMagick before 7.0.1-0 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file. Moderate CVE-2016-10065 SUSE bug 1016591 SUSE bug 1017322 SUSE Linux Enterprise Server 11 SP3-TERADATA The MSL interpreter in ImageMagick before 6.9.6-4 allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted XML file. Low CVE-2016-10068 SUSE bug 1017324 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the CalcMinMax function in coders/mat.c in ImageMagick before 6.9.4-0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted mat file. Low CVE-2016-10070 SUSE bug 1017326 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/mat.c in ImageMagick before 6.9.4-0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted mat file. Moderate CVE-2016-10071 SUSE bug 1017326 SUSE Linux Enterprise Server 11 SP3-TERADATA The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure. Low CVE-2016-10087 SUSE bug 1017646 SUSE bug 1149680 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576. Important CVE-2016-10088 SUSE bug 1013604 SUSE bug 1014271 SUSE bug 1017710 SUSE bug 1019079 SUSE Linux Enterprise Server 11 SP3-TERADATA Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641. Moderate CVE-2016-10089 SUSE bug 1011630 SUSE bug 1018047 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the readContigStripsIntoBuffer function in tif_unix.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image. Important CVE-2016-10092 SUSE bug 1017693 SUSE bug 1122679 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image, which triggers a heap-based buffer overflow. Important CVE-2016-10093 SUSE bug 1017693 SUSE bug 1122679 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the t2p_readwrite_pdf_image_tile function in tools/tiff2pdf.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image. Important CVE-2016-10094 SUSE bug 1017693 SUSE bug 1122679 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file. Important CVE-2016-10095 SUSE bug 1017690 SUSE bug 960341 SUSE bug 983436 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/ipl.c in ImageMagick allows remote attackers to have unspecific impact by leveraging a missing malloc check. Moderate CVE-2016-10144 SUSE bug 1020433 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in coders/wpg.c in ImageMagick allows remote attackers to have unspecified impact via vectors related to a string copy. Moderate CVE-2016-10145 SUSE bug 1020435 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple memory leaks in the caption and label handling code in ImageMagick allow remote attackers to cause a denial of service (memory consumption) via unspecified vectors. Moderate CVE-2016-10146 SUSE bug 1020443 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. Moderate CVE-2016-10155 SUSE bug 1021129 SUSE bug 1024183 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1. Moderate CVE-2016-10158 SUSE bug 1022219 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. Moderate CVE-2016-10159 SUSE bug 1022255 SUSE bug 1048094 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. Moderate CVE-2016-10160 SUSE bug 1022257 SUSE bug 1048094 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. Moderate CVE-2016-10161 SUSE bug 1022260 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in libXpm before 3.5.12, when a program requests parsing XPM extensions on a 64-bit platform, allow remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via (1) the number of extensions or (2) their concatenated length in a crafted XPM file, which triggers a heap-based buffer overflow. Moderate CVE-2016-10164 SUSE bug 1021315 SUSE bug 1123144 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Type_MLU_Read function in cmstypes.c in Little CMS (aka lcms2) allows remote attackers to obtain sensitive information or cause a denial of service via an image with a crafted ICC profile, which triggers an out-of-bounds heap read. Moderate CVE-2016-10165 SUSE bug 1021364 SUSE bug 1064069 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer underflow in the _gdContributionsAlloc function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors related to decrementing the u variable. Moderate CVE-2016-10166 SUSE bug 1022069 SUSE bug 1022263 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file. Moderate CVE-2016-10167 SUSE bug 1022069 SUSE bug 1022264 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image. Moderate CVE-2016-10168 SUSE bug 1022069 SUSE bug 1022265 SUSE Linux Enterprise Server 11 SP3-TERADATA The read_code function in read_words.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file. Low CVE-2016-10169 SUSE bug 1021483 SUSE Linux Enterprise Server 11 SP3-TERADATA The WriteCaffHeader function in cli/caff.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file. Low CVE-2016-10170 SUSE bug 1021483 SUSE Linux Enterprise Server 11 SP3-TERADATA The unreorder_channels function in cli/wvunpack.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file. Low CVE-2016-10171 SUSE bug 1021483 SUSE Linux Enterprise Server 11 SP3-TERADATA The read_new_config_info function in open_utils.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file. Low CVE-2016-10172 SUSE bug 1021483 SUSE Linux Enterprise Server 11 SP3-TERADATA The name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read. Moderate CVE-2016-10195 SUSE bug 1022917 SUSE bug 1035082 SUSE bug 1035209 SUSE bug 1075618 SUSE bug 1123122 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument. Moderate CVE-2016-10196 SUSE bug 1022918 SUSE bug 1035082 SUSE bug 1035209 SUSE bug 1075618 SUSE Linux Enterprise Server 11 SP3-TERADATA The search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (out-of-bounds read) via an empty hostname. Moderate CVE-2016-10197 SUSE bug 1022919 SUSE bug 1035082 SUSE bug 1035209 SUSE bug 1075618 SUSE bug 1123122 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c. Important CVE-2016-10200 SUSE bug 1027179 SUSE bug 1028415 SUSE Linux Enterprise Server 11 SP3-TERADATA The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. Low CVE-2016-10219 SUSE bug 1032138 SUSE Linux Enterprise Server 11 SP3-TERADATA The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file. Moderate CVE-2016-10244 SUSE bug 1028103 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in JasPer before 1.900.20 allows remote attackers to have unspecified impact via a crafted file, which triggers use of an uninitialized value. Moderate CVE-2016-10251 SUSE bug 1029497 SUSE Linux Enterprise Server 11 SP3-TERADATA The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure. Low CVE-2016-10254 SUSE bug 1030472 SUSE Linux Enterprise Server 11 SP3-TERADATA The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure. Low CVE-2016-10255 SUSE bug 1030472 SUSE bug 1030476 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. Moderate CVE-2016-10266 SUSE bug 1017694 SUSE bug 1031263 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. Moderate CVE-2016-10267 SUSE bug 1017694 SUSE bug 1031262 SUSE Linux Enterprise Server 11 SP3-TERADATA tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 78490" and libtiff/tif_unix.c:115:23. Moderate CVE-2016-10268 SUSE bug 1017693 SUSE bug 1031255 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. Moderate CVE-2016-10269 SUSE bug 1017693 SUSE bug 1031254 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. Moderate CVE-2016-10270 SUSE bug 1031250 SUSE Linux Enterprise Server 11 SP3-TERADATA FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c. Important CVE-2016-10328 SUSE bug 1034191 SUSE bug 1123117 SUSE Linux Enterprise Server 11 SP3-TERADATA The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable computational-complexity attack when parsing and storing ISAKMP fragments. The implementation permits a remote attacker to exhaust computational resources on the remote endpoint by repeatedly sending ISAKMP fragment packets in a particular order such that the worst-case computational complexity is realized in the algorithm utilized to determine if reassembly of the fragments can take place. Moderate CVE-2016-10396 SUSE bug 1047443 SUSE Linux Enterprise Server 11 SP3-TERADATA In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c). Moderate CVE-2016-10397 SUSE bug 1047454 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. Moderate CVE-2016-10708 SUSE bug 1076957 SUSE bug 1087412 SUSE bug 1102768 SUSE bug 1138392 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker. Important CVE-2016-10712 SUSE bug 1080234 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file. Moderate CVE-2016-10713 SUSE bug 1080918 SUSE bug 1101128 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The "runtar" setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root. Moderate CVE-2016-10729 SUSE bug 1110797 SUSE bug 1112916 SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure. Moderate CVE-2016-10741 SUSE bug 1114920 SUSE bug 1124010 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name. Moderate CVE-2016-1234 SUSE bug 1020940 SUSE bug 969727 SUSE bug 988770 SUSE bug 988782 SUSE bug 989127 SUSE Linux Enterprise Server 11 SP3-TERADATA (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. Moderate CVE-2016-1238 SUSE bug 1108749 SUSE bug 1123389 SUSE bug 987887 SUSE bug 988311 SUSE Linux Enterprise Server 11 SP3-TERADATA It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent. Moderate CVE-2016-1245 SUSE bug 1005258 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the DBD::mysql module before 4.037 for Perl allows context-dependent attackers to cause a denial of service (crash) via vectors related to an error message. Moderate CVE-2016-1246 SUSE bug 1002626 SUSE Linux Enterprise Server 11 SP3-TERADATA vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened. Important CVE-2016-1248 SUSE bug 1010685 SUSE Linux Enterprise Server 11 SP3-TERADATA The DBD::mysql module before 4.039 for Perl, when using server-side prepared statement support, allows attackers to cause a denial of service (out-of-bounds read) via vectors involving an unaligned number of placeholders in WHERE condition and output fields in SELECT expression. Low CVE-2016-1249 SUSE bug 1010457 SUSE Linux Enterprise Server 11 SP3-TERADATA There is a vulnerability of type use-after-free affecting DBD::mysql (aka DBD-mysql or the Database Interface (DBI) MySQL driver for Perl) 3.x and 4.x before 4.041 when used with mysql_server_prepare=1. Important CVE-2016-1251 SUSE bug 1012546 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fetch reply messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c. Moderate CVE-2016-1285 SUSE bug 970072 SUSE bug 978322 SUSE bug 981200 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted signature record for a DNAME record, related to db.c and resolver.c. Important CVE-2016-1286 SUSE bug 970073 SUSE bug 978322 SUSE bug 981200 SUSE Linux Enterprise Server 11 SP3-TERADATA The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, mishandles a return value, which allows remote attackers to cause a denial of service (missing initialization, NULL pointer dereference, and application crash) via a crafted Graphite smart font. Important CVE-2016-1523 SUSE bug 965803 SUSE bug 965806 SUSE bug 965807 SUSE bug 965810 SUSE bug 967087 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. Moderate CVE-2016-1547 SUSE bug 962784 SUSE bug 977446 SUSE bug 977459 SUSE bug 982064 SUSE bug 982065 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched. Important CVE-2016-1548 SUSE bug 959243 SUSE bug 977446 SUSE bug 977461 SUSE bug 982068 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock. Moderate CVE-2016-1549 SUSE bug 1083424 SUSE bug 977446 SUSE bug 977451 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key. Moderate CVE-2016-1550 SUSE bug 977446 SUSE bug 977464 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP 4.2.8p3 and NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock (127.127.1.1 for example) that reaches the receive() function will match that reference clock's peer record and will be treated as a trusted peer. Any system that lacks the typical martian packet filtering which would block these packets is in danger of having its time controlled by an attacker. Moderate CVE-2016-1551 SUSE bug 977446 SUSE bug 977450 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command. Important CVE-2016-1568 SUSE bug 961332 SUSE bug 961333 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates. Important CVE-2016-1570 SUSE bug 960861 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check. Moderate CVE-2016-1571 SUSE bug 960861 SUSE bug 960862 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA mount.ecryptfs_private.c in eCryptfs-utils does not validate mount destination filesystem types, which allows local users to gain privileges by mounting over a nonstandard filesystem, as demonstrated by /proc/$pid. Moderate CVE-2016-1572 SUSE bug 962052 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file, a different vulnerability than CVE-2014-8137. Important CVE-2016-1577 SUSE bug 968373 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling. Important CVE-2016-1583 SUSE bug 1052256 SUSE bug 983143 SUSE bug 983144 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-TERADATA A code injection in the supportconfig data collection tool in supportutils in SUSE Linux Enterprise Server 12 and 12-SP1 and SUSE Linux Enterprise Desktop 12 and 12-SP1 could be used by local attackers to execute code as the user running supportconfig (usually root). Important CVE-2016-1602 SUSE bug 1063385 SUSE bug 980670 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration. Important CVE-2016-1714 SUSE bug 961691 SUSE bug 961692 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. Moderate CVE-2016-1762 SUSE bug 1123919 SUSE bug 981040 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The htmlCurrentChar function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. Important CVE-2016-1833 SUSE bug 1123919 SUSE bug 981108 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. Important CVE-2016-1834 SUSE bug 1123919 SUSE bug 981041 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the xmlSAX2AttributeNs function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2 and OS X before 10.11.5, allows remote attackers to cause a denial of service via a crafted XML document. Important CVE-2016-1835 SUSE bug 1123919 SUSE bug 981109 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral and (2) htmlParseSystemiteral functions in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allow remote attackers to cause a denial of service via a crafted XML document. Important CVE-2016-1837 SUSE bug 1123919 SUSE bug 981111 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. Important CVE-2016-1838 SUSE bug 1123919 SUSE bug 981112 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. Moderate CVE-2016-1839 SUSE bug 1039069 SUSE bug 1039661 SUSE bug 1069433 SUSE bug 1069690 SUSE bug 1123919 SUSE bug 963963 SUSE bug 981114 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. Important CVE-2016-1840 SUSE bug 1123919 SUSE bug 981115 SUSE Linux Enterprise Server 11 SP3-TERADATA The jpc_pi_nextcprl function in JasPer 1.900.1 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG 2000 image. Moderate CVE-2016-1867 SUSE bug 961886 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server. Low CVE-2016-1908 SUSE bug 1001712 SUSE bug 1005738 SUSE bug 1087412 SUSE bug 1138392 SUSE bug 962313 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue. Moderate CVE-2016-1922 SUSE bug 962320 SUSE bug 962321 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in header.c in lha allows remote attackers to have unspecified impact via a large header size value for the (1) level0 or (2) level1 header in a lha archive, which triggers a buffer overflow. Moderate CVE-2016-1925 SUSE bug 962528 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 44.0 and Firefox ESR 38.x before 38.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Critical CVE-2016-1930 SUSE bug 963520 SUSE bug 963632 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the BufferSubData function in Mozilla Firefox before 44.0 and Firefox ESR 38.x before 38.6 allows remote attackers to execute arbitrary code via crafted WebGL content. Important CVE-2016-1935 SUSE bug 963520 SUSE bug 963635 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP3-TERADATA The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function. Moderate CVE-2016-1938 SUSE bug 963731 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate. Important CVE-2016-1950 SUSE bug 969894 SUSE bug 970257 SUSE bug 970377 SUSE bug 970378 SUSE bug 970379 SUSE bug 970380 SUSE bug 970381 SUSE bug 970431 SUSE bug 970433 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2016-1952 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 45.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to js/src/jit/arm/Assembler-arm.cpp, and unknown other vectors. Important CVE-2016-1953 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The nsCSPContext::SendReports function in dom/security/nsCSPContext.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 does not prevent use of a non-HTTP report-uri for a Content Security Policy (CSP) violation report, which allows remote attackers to cause a denial of service (data overwrite) or possibly gain privileges by specifying a URL of a local file. Important CVE-2016-1954 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in libstagefright in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to cause a denial of service (memory consumption) via an MPEG-4 file that triggers a delete operation on an array. Moderate CVE-2016-1957 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA browser/base/content/browser.js in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to spoof the address bar via a javascript: URL. Moderate CVE-2016-1958 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) by leveraging mishandling of end tags, as demonstrated by incorrect SVG processing, aka ZDI-CAN-3545. Important CVE-2016-1960 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the nsHTMLDocument::SetBody function in dom/html/nsHTMLDocument.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code by leveraging mishandling of a root element, aka ZDI-CAN-3574. Important CVE-2016-1961 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the mozilla::DataChannelConnection::Close function in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code by leveraging mishandling of WebRTC data-channel connections. Critical CVE-2016-1962 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the AtomicBaseIncDec function in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging mishandling of XML transformations. Important CVE-2016-1964 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 mishandle a navigation sequence that returns to the original page, which allows remote attackers to spoof the address bar via vectors involving the history.back method and the location.protocol property. Moderate CVE-2016-1965 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The nsNPObjWrapper::GetNewOrUsed function in dom/plugins/base/nsJSNPRuntime.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (invalid pointer dereference and memory corruption) via a crafted NPAPI plugin. Important CVE-2016-1966 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The nsScannerString::AppendUnicodeTo function in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 does not verify that memory allocation succeeds, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via crafted Unicode data in an HTML, XML, or SVG document. Important CVE-2016-1974 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Machine::Code::decoder::analysis::set_ref function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a crafted Graphite smart font. Important CVE-2016-1977 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption. Important CVE-2016-1978 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding. Important CVE-2016-1979 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS. Moderate CVE-2016-1981 SUSE bug 963782 SUSE bug 963783 SUSE Linux Enterprise Server 11 SP3-TERADATA The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10; Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier; and Percona Server do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "/CN=" string in a field in a certificate, as demonstrated by "/OU=/CN=bar.com/CN=foo.com." Moderate CVE-2016-2047 SUSE bug 963806 SUSE bug 976341 SUSE bug 980904 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c. Moderate CVE-2016-2053 SUSE bug 963762 SUSE bug 979074 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU. Moderate CVE-2016-2069 SUSE bug 870618 SUSE bug 963767 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document. Moderate CVE-2016-2073 SUSE bug 963963 SUSE Linux Enterprise Server 11 SP3-TERADATA The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted JPEG 2000 image. Low CVE-2016-2089 SUSE bug 963983 SUSE OpenStack Cloud 5 Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. Moderate CVE-2016-2097 SUSE bug 963332 SUSE bug 968850 SUSE OpenStack Cloud 5 Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. Important CVE-2016-2098 SUSE bug 968849 SUSE bug 993313 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data. Moderate CVE-2016-2105 SUSE bug 1025347 SUSE bug 977584 SUSE bug 977614 SUSE bug 978492 SUSE bug 989902 SUSE bug 990369 SUSE bug 990370 SUSE bug 991918 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. Low CVE-2016-2106 SUSE bug 1025347 SUSE bug 977584 SUSE bug 977615 SUSE bug 978492 SUSE bug 990369 SUSE Linux Enterprise Server 11 SP3-TERADATA The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169. Moderate CVE-2016-2107 SUSE bug 976942 SUSE bug 977584 SUSE bug 977616 SUSE bug 978492 SUSE bug 990369 SUSE bug 990370 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue. Moderate CVE-2016-2108 SUSE bug 1001502 SUSE bug 1004499 SUSE bug 1005878 SUSE bug 1025347 SUSE bug 977584 SUSE bug 977617 SUSE bug 978492 SUSE bug 989345 SUSE bug 996067 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding. Moderate CVE-2016-2109 SUSE bug 1015243 SUSE bug 1025347 SUSE bug 976942 SUSE bug 977584 SUSE bug 978492 SUSE bug 990369 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The NTLMSSP authentication implementation in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 allows man-in-the-middle attackers to perform protocol-downgrade attacks by modifying the client-server data stream to remove application-layer flags or encryption settings, as demonstrated by clearing the NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN option to disrupt LDAP security. Moderate CVE-2016-2110 SUSE bug 1009711 SUSE bug 973031 SUSE bug 973033 SUSE bug 973036 SUSE bug 975276 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2, when a domain controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, a related issue to CVE-2015-0005. Moderate CVE-2016-2111 SUSE bug 973032 SUSE bug 975276 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "client ldap sasl wrapping" setting, which allows man-in-the-middle attackers to perform LDAP protocol-downgrade attacks by modifying the client-server data stream. Moderate CVE-2016-2112 SUSE bug 973031 SUSE bug 973033 SUSE bug 975276 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate. Important CVE-2016-2113 SUSE bug 973031 SUSE bug 973033 SUSE bug 973034 SUSE bug 975276 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not require SMB signing within a DCERPC session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream. Moderate CVE-2016-2115 SUSE bug 973036 SUSE bug 975276 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file. Moderate CVE-2016-2116 SUSE bug 968373 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK." Important CVE-2016-2118 SUSE bug 971965 SUSE bug 975276 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. Moderate CVE-2016-2125 SUSE bug 1014441 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Samba version 4.0.0 up to 4.5.2 is vulnerable to privilege elevation due to incorrect handling of the PAC (Privilege Attribute Certificate) checksum. A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. Moderate CVE-2016-2126 SUSE bug 1014442 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE OpenStack Cloud 5 The fork implementation in the Linux kernel before 4.5 on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h. Important CVE-2016-2143 SUSE bug 970504 SUSE bug 987099 SUSE bug 993872 SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests. Important CVE-2016-2161 SUSE bug 1016714 SUSE bug 1033513 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c. Moderate CVE-2016-2177 SUSE bug 982575 SUSE bug 999075 SUSE bug 999665 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. Moderate CVE-2016-2178 SUSE bug 983249 SUSE bug 983519 SUSE bug 999665 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c. Moderate CVE-2016-2179 SUSE bug 994844 SUSE bug 999665 SUSE Linux Enterprise Server 11 SP3-TERADATA The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command. Moderate CVE-2016-2180 SUSE bug 1003811 SUSE bug 990419 SUSE bug 999665 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c. Moderate CVE-2016-2181 SUSE bug 994749 SUSE bug 994844 SUSE bug 999665 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. Moderate CVE-2016-2182 SUSE bug 993819 SUSE bug 994844 SUSE bug 995959 SUSE bug 999665 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. Moderate CVE-2016-2183 SUSE bug 1001912 SUSE bug 1020747 SUSE bug 1024218 SUSE bug 1027038 SUSE bug 1034689 SUSE bug 994844 SUSE bug 995359 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor. Moderate CVE-2016-2184 SUSE bug 971125 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. Moderate CVE-2016-2185 SUSE bug 971124 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. Moderate CVE-2016-2186 SUSE bug 970958 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. Moderate CVE-2016-2187 SUSE bug 971919 SUSE bug 971944 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. Moderate CVE-2016-2188 SUSE bug 1067912 SUSE bug 1132190 SUSE bug 970956 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS. Moderate CVE-2016-2198 SUSE bug 964413 SUSE bug 964415 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings. Moderate CVE-2016-2270 SUSE bug 965315 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP. Moderate CVE-2016-2271 SUSE bug 965317 SUSE OpenStack Cloud 5 revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow. Critical CVE-2016-2315 SUSE bug 971328 SUSE OpenStack Cloud 5 Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow. Critical CVE-2016-2324 SUSE bug 971328 SUSE Linux Enterprise Server 11 SP3-TERADATA The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet. Moderate CVE-2016-2342 SUSE bug 970952 SUSE Linux Enterprise Server 11 SP3-TERADATA Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp. Moderate CVE-2016-2381 SUSE bug 967082 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor. Important CVE-2016-2384 SUSE bug 966693 SUSE bug 967773 SUSE Linux Enterprise Server 11 SP3-TERADATA The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message. Moderate CVE-2016-2390 SUSE bug 967011 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers. Moderate CVE-2016-2391 SUSE bug 967012 SUSE bug 967013 SUSE bug 967101 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet. Moderate CVE-2016-2392 SUSE bug 967012 SUSE bug 967090 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive. Moderate CVE-2016-2516 SUSE bug 0 SUSE bug 977446 SUSE bug 977452 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression. Moderate CVE-2016-2517 SUSE bug 0 SUSE bug 977446 SUSE bug 977455 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value. Moderate CVE-2016-2518 SUSE bug 977446 SUSE bug 977457 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (ntpd abort) by a large request data value, which triggers the ctl_getitem function to return a NULL value. Moderate CVE-2016-2519 SUSE bug 0 SUSE bug 959243 SUSE bug 977446 SUSE bug 977458 SUSE Linux Enterprise Server 11 SP3-TERADATA The dnp3_al_process_object function in epan/dissectors/packet-dnp.c in the DNP3 dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Moderate CVE-2016-2523 SUSE bug 968565 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c in the RSL dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 mishandles the case of an unrecognized TLV type, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet, a different vulnerability than CVE-2016-2531. Moderate CVE-2016-2530 SUSE bug 968565 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in epan/dissectors/packet-rsl.c in the RSL dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet that triggers a 0xff tag value, a different vulnerability than CVE-2016-2530. Moderate CVE-2016-2531 SUSE bug 968565 SUSE Linux Enterprise Server 11 SP3-TERADATA The dissect_llrp_parameters function in epan/dissectors/packet-llrp.c in the LLRP dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 does not limit the recursion depth, which allows remote attackers to cause a denial of service (memory consumption or application crash) via a crafted packet. Moderate CVE-2016-2532 SUSE bug 968565 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function. Important CVE-2016-2538 SUSE bug 967969 SUSE bug 968004 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before 4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call. Moderate CVE-2016-2543 SUSE bug 967972 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time. Moderate CVE-2016-2544 SUSE bug 967973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call. Moderate CVE-2016-2545 SUSE bug 967974 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call. Moderate CVE-2016-2546 SUSE bug 967975 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider slave timer instances, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call. Moderate CVE-2016-2547 SUSE bug 968011 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions. Moderate CVE-2016-2548 SUSE bug 968012 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which allows local users to cause a denial of service (deadlock) via a crafted ioctl call. Moderate CVE-2016-2549 SUSE bug 968013 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive. Moderate CVE-2016-2554 SUSE bug 968284 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-TERADATA Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header. Important CVE-2016-2569 SUSE bug 968392 SUSE bug 968393 SUSE Linux Enterprise Server 11 SP3-TERADATA The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h. Important CVE-2016-2570 SUSE bug 968392 SUSE bug 968393 SUSE Linux Enterprise Server 11 SP3-TERADATA http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response. Important CVE-2016-2571 SUSE bug 968394 SUSE bug 968395 SUSE Linux Enterprise Server 11 SP3-TERADATA http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response. Important CVE-2016-2572 SUSE bug 968394 SUSE bug 968395 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 does not restrict the number of concurrent TCP sessions, which allows remote attackers to cause a denial of service (INSIST assertion failure or request-processing outage) by establishing many sessions. Moderate CVE-2016-2774 SUSE bug 969820 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. Moderate CVE-2016-2775 SUSE bug 989528 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query. Important CVE-2016-2776 SUSE bug 1000362 SUSE bug 1001595 SUSE bug 1001597 SUSE bug 1007829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint. Moderate CVE-2016-2782 SUSE bug 961512 SUSE bug 968670 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::TtfUtil::GetTableInfo function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, does not initialize memory for an unspecified data structure, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted Graphite smart font. Important CVE-2016-2790 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. Important CVE-2016-2791 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2800. Important CVE-2016-2792 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA CachedCmap.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. Important CVE-2016-2793 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::TtfUtil::CmapSubtable12NextCodepoint function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. Important CVE-2016-2794 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::FileFace::get_table_fn function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, does not initialize memory for an unspecified data structure, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted Graphite smart font. Important CVE-2016-2795 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the graphite2::vm::Machine::Code::Code function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Graphite smart font. Important CVE-2016-2796 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::TtfUtil::CmapSubtable12Lookup function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2801. Important CVE-2016-2797 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::GlyphCache::Loader::Loader function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. Important CVE-2016-2798 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the graphite2::Slot::setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Graphite smart font. Important CVE-2016-2799 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2792. Important CVE-2016-2800 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::TtfUtil::CmapSubtable12Lookup function in TtfUtil.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2797. Important CVE-2016-2801 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The graphite2::TtfUtil::CmapSubtable4NextCodepoint function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. Important CVE-2016-2802 SUSE bug 969894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in the browser engine in Mozilla Firefox ESR 38.x before 38.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2016-2805 SUSE bug 977333 SUSE bug 977374 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before 45.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2016-2807 SUSE bug 977333 SUSE bug 977376 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The watch implementation in the JavaScript engine in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before 45.1 allows remote attackers to execute arbitrary code or cause a denial of service (generation-count overflow, out-of-bounds HashMap write access, and application crash) via a crafted web site. Important CVE-2016-2808 SUSE bug 977333 SUSE bug 977386 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in the stagefright::SampleTable::parseSampleCencInfo function in libstagefright in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before 45.1 allows remote attackers to execute arbitrary code via crafted CENC offsets that lead to mismanagement of the sizes table. Important CVE-2016-2814 SUSE bug 977333 SUSE bug 977381 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 47.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2016-2815 SUSE bug 983549 SUSE bug 983638 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2016-2818 SUSE bug 983549 SUSE bug 983638 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element. Important CVE-2016-2819 SUSE bug 983549 SUSE bug 983655 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the mozilla::dom::Element class in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2, when contenteditable mode is enabled, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by triggering deletion of DOM elements that were created in the editor. Important CVE-2016-2821 SUSE bug 983549 SUSE bug 983653 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attackers to spoof the address bar via a SELECT element with a persistent menu. Moderate CVE-2016-2822 SUSE bug 983549 SUSE bug 983652 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The TSymbolTableLevel class in ANGLE, as used in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 on Windows, allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact by triggering use of a WebGL shader that writes to an array. Important CVE-2016-2824 SUSE bug 983549 SUSE bug 983651 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via WebGL content that triggers texture access after destruction of the texture's recycle pool. Important CVE-2016-2828 SUSE bug 983549 SUSE bug 983646 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 preserve the network connection used for favicon resource retrieval after the associated browser window is closed, which makes it easier for remote web servers to track users by observing network traffic from multiple IP addresses. Moderate CVE-2016-2830 SUSE bug 983922 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not ensure that the user approves the fullscreen and pointerlock settings, which allows remote attackers to cause a denial of service (UI outage), or conduct clickjacking or spoofing attacks, via a crafted web site. Important CVE-2016-2831 SUSE bug 983549 SUSE bug 983632 SUSE bug 983643 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. Important CVE-2016-2834 SUSE bug 983549 SUSE bug 983639 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 48.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Moderate CVE-2016-2835 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to Http2Session::Shutdown and SpdySession31::Shutdown, and other vectors. Important CVE-2016-2836 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in the ClearKey Content Decryption Module (CDM) in the Encrypted Media Extensions (EME) API in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 might allow remote attackers to execute arbitrary code by providing a malformed video and leveraging a Gecko Media Plugin (GMP) sandbox bypass. Moderate CVE-2016-2837 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in the nsBidi::BracketData::AddOpening function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code via directional content in an SVG document. Moderate CVE-2016-2838 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 on Linux make cairo _cairo_surface_get_extents calls that do not properly interact with libav header allocation in FFmpeg 0.10, which allows remote attackers to cause a denial of service (application crash) via a crafted video. Moderate CVE-2016-2839 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control. Moderate CVE-2016-2841 SUSE bug 969350 SUSE bug 969351 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes. Moderate CVE-2016-2847 SUSE bug 970948 SUSE bug 974646 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow. Critical CVE-2016-2851 SUSE bug 969785 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. Moderate CVE-2016-2857 SUSE bug 970037 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. Moderate CVE-2016-2858 SUSE bug 970036 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name. Important CVE-2016-3075 SUSE bug 973164 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. Moderate CVE-2016-3115 SUSE bug 1005738 SUSE bug 1087412 SUSE bug 1138392 SUSE bug 970632 SUSE bug 992296 SUSE bug 996040 SUSE Linux Enterprise Server 11 SP3-TERADATA The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. Moderate CVE-2016-3119 SUSE bug 971942 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call. Moderate CVE-2016-3134 SUSE bug 1052256 SUSE bug 971126 SUSE bug 971793 SUSE bug 986362 SUSE bug 986365 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions. Moderate CVE-2016-3137 SUSE bug 970970 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor. Moderate CVE-2016-3138 SUSE bug 970911 SUSE bug 970970 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. Moderate CVE-2016-3139 SUSE bug 970909 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. Moderate CVE-2016-3140 SUSE bug 970892 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element. Moderate CVE-2016-3141 SUSE bug 969821 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location. Moderate CVE-2016-3142 SUSE bug 971912 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses. Moderate CVE-2016-3156 SUSE bug 971360 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. Low CVE-2016-3158 SUSE bug 973188 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. Low CVE-2016-3159 SUSE bug 973188 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c. Important CVE-2016-3185 SUSE bug 971611 SUSE bug 973351 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. Moderate CVE-2016-3186 SUSE bug 973340 SUSE bug 983268 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block. Moderate CVE-2016-3189 SUSE bug 985657 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect availability via vectors related to 2D. Important CVE-2016-3422 SUSE bug 976340 SUSE bug 979252 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality via vectors related to JCE. Important CVE-2016-3426 SUSE bug 976340 SUSE bug 979252 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. Important CVE-2016-3427 SUSE bug 1011805 SUSE bug 976340 SUSE bug 979252 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D. NOTE: the previous information is from the April 2016 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information via crafted font data, which triggers an out-of-bounds read. Important CVE-2016-3443 SUSE bug 976340 SUSE bug 979252 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Deployment. Important CVE-2016-3449 SUSE bug 976340 SUSE bug 979252 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. Important CVE-2016-3477 SUSE bug 989913 SUSE bug 991616 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows local users to affect integrity via vectors related to Networking. Low CVE-2016-3485 SUSE bug 1009280 SUSE bug 989734 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Deployment. Important CVE-2016-3511 SUSE bug 1009280 SUSE bug 989727 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types. Important CVE-2016-3521 SUSE bug 989919 SUSE bug 991616 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3610. Important CVE-2016-3598 SUSE bug 1009280 SUSE bug 989723 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: DML. Important CVE-2016-3615 SUSE bug 989922 SUSE bug 991616 SUSE Linux Enterprise Server 11 SP3-TERADATA The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c none" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. Low CVE-2016-3619 SUSE bug 1040080 SUSE bug 1150480 SUSE bug 974446 SUSE bug 974447 SUSE bug 974448 SUSE Linux Enterprise Server 11 SP3-TERADATA The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c zip" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. Low CVE-2016-3620 SUSE bug 1040080 SUSE bug 1150480 SUSE bug 974447 SUSE Linux Enterprise Server 11 SP3-TERADATA The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c lzw" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. Low CVE-2016-3621 SUSE bug 1040080 SUSE bug 1150480 SUSE bug 974448 SUSE Linux Enterprise Server 11 SP3-TERADATA The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. Low CVE-2016-3622 SUSE bug 974449 SUSE Linux Enterprise Server 11 SP3-TERADATA The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. Low CVE-2016-3623 SUSE bug 974617 SUSE bug 974618 SUSE Linux Enterprise Server 11 SP3-TERADATA The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. Important CVE-2016-3627 SUSE bug 1026099 SUSE bug 1026101 SUSE bug 1123919 SUSE bug 972335 SUSE bug 975947 SUSE Linux Enterprise Server 11 SP3-TERADATA The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image. Low CVE-2016-3632 SUSE bug 1007276 SUSE bug 974621 SUSE bug 983436 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references. Important CVE-2016-3705 SUSE bug 1017497 SUSE bug 1123919 SUSE bug 975947 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458. Important CVE-2016-3706 SUSE bug 980483 SUSE bug 997423 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. Important CVE-2016-3710 SUSE bug 978158 SUSE bug 978164 SUSE bug 978167 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. Moderate CVE-2016-3712 SUSE bug 978160 SUSE bug 978164 SUSE bug 978167 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick." Important CVE-2016-3714 SUSE bug 1057163 SUSE bug 1105592 SUSE bug 978061 SUSE bug 982178 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. Moderate CVE-2016-3715 SUSE bug 1057163 SUSE bug 1105592 SUSE bug 978061 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image. Moderate CVE-2016-3716 SUSE bug 1057163 SUSE bug 1105592 SUSE bug 978061 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image. Moderate CVE-2016-3717 SUSE bug 1057163 SUSE bug 1105592 SUSE bug 978061 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. Moderate CVE-2016-3718 SUSE bug 1057163 SUSE bug 1105592 SUSE bug 978061 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The IPv6 stack in the Linux kernel before 4.3.3 mishandles options data, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call. Important CVE-2016-3841 SUSE bug 1052256 SUSE bug 992566 SUSE bug 992569 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image, which triggers an out-of-bounds write. Low CVE-2016-3945 SUSE bug 974614 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger utility in Squid before 3.5.16 and 4.x before 4.0.8 allows remote servers to cause a denial of service (performance degradation or transition failures) or write sensitive information to log files via an ICMPv6 packet. Important CVE-2016-3947 SUSE bug 973782 SUSE Linux Enterprise Server 11 SP3-TERADATA Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP response, related to Vary headers. Moderate CVE-2016-3948 SUSE bug 973783 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet. Critical CVE-2016-3955 SUSE bug 975945 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping. Important CVE-2016-3960 SUSE bug 974038 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file. Moderate CVE-2016-3977 SUSE bug 974847 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp. Low CVE-2016-3990 SUSE bug 975069 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet. Moderate CVE-2016-4001 SUSE bug 975128 SUSE bug 975130 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes. Critical CVE-2016-4002 SUSE bug 975136 SUSE bug 975138 SUSE Linux Enterprise Server 11 SP3-TERADATA The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate. Moderate CVE-2016-4008 SUSE bug 982779 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). Low CVE-2016-4020 SUSE bug 975700 SUSE bug 975907 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558. Low CVE-2016-4037 SUSE bug 959005 SUSE bug 959006 SUSE bug 976109 SUSE bug 976111 SUSE Linux Enterprise Server 11 SP3-TERADATA The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does not perform size checks when dumping data, which might allow remote attackers to cause a denial of service (assertion failure and daemon crash) via a large BGP packet. Moderate CVE-2016-4049 SUSE bug 977012 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or execute arbitrary code by seeding manager reports with crafted data. Important CVE-2016-4051 SUSE bug 976553 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execute arbitrary code via crafted Edge Side Includes (ESI) responses. Important CVE-2016-4052 SUSE bug 976556 SUSE Linux Enterprise Server 11 SP3-TERADATA Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization. Moderate CVE-2016-4053 SUSE bug 976556 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses. Important CVE-2016-4054 SUSE bug 976556 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says "Not sure if this qualifies as security issue (probably not)." Moderate CVE-2016-4070 SUSE bug 976997 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call. Moderate CVE-2016-4073 SUSE bug 977003 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-length uncompressed data, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive. Important CVE-2016-4342 SUSE bug 977991 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the str_pad function in ext/standard/string.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow. Critical CVE-2016-4346 SUSE bug 977993 SUSE bug 977994 SUSE bug 977995 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets. Moderate CVE-2016-4429 SUSE bug 1081556 SUSE bug 980854 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors. Important CVE-2016-4439 SUSE bug 980711 SUSE bug 980716 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command. Moderate CVE-2016-4441 SUSE bug 980723 SUSE bug 980724 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName. Important CVE-2016-4447 SUSE bug 1123919 SUSE bug 981548 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. Critical CVE-2016-4448 SUSE bug 1010299 SUSE bug 1123919 SUSE bug 981549 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. Important CVE-2016-4449 SUSE bug 1123919 SUSE bug 981550 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command. Moderate CVE-2016-4453 SUSE bug 982223 SUSE bug 982225 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read. Moderate CVE-2016-4454 SUSE bug 982222 SUSE bug 982224 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command. Important CVE-2016-4470 SUSE bug 984755 SUSE bug 984764 SUSE bug 990058 SUSE bug 991651 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and earlier does not properly handle the Page Size (PS) page table entry bit at the L4 and L3 page table levels, which might allow local guest OS users to gain privileges via a crafted mapping of memory. Important CVE-2016-4480 SUSE bug 978288 SUSE bug 978295 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call. Moderate CVE-2016-4482 SUSE bug 978401 SUSE bug 978445 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627. Low CVE-2016-4483 SUSE bug 1026101 SUSE bug 1123919 SUSE bug 978395 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory by reading a message. Important CVE-2016-4485 SUSE bug 978821 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message. Low CVE-2016-4486 SUSE bug 978822 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call. Low CVE-2016-4537 SUSE bug 978827 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call. Low CVE-2016-4538 SUSE bug 978827 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero. Moderate CVE-2016-4539 SUSE bug 978828 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset. Low CVE-2016-4540 SUSE bug 978829 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset. Low CVE-2016-4541 SUSE bug 978829 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data. Low CVE-2016-4542 SUSE bug 978830 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data. Low CVE-2016-4543 SUSE bug 978830 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate TIFF start data, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data. Low CVE-2016-4544 SUSE bug 978830 SUSE bug 980366 SUSE Linux Enterprise Server 11 SP3-TERADATA client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request. Important CVE-2016-4553 SUSE bug 979009 SUSE bug 990451 SUSE Linux Enterprise Server 11 SP3-TERADATA mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue. Important CVE-2016-4554 SUSE bug 979010 SUSE bug 990451 SUSE Linux Enterprise Server 11 SP3-TERADATA client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses. Moderate CVE-2016-4555 SUSE bug 979008 SUSE bug 979011 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response. Moderate CVE-2016-4556 SUSE bug 979008 SUSE bug 979011 SUSE Linux Enterprise Server 11 SP3-TERADATA The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2 mishandles calculations of certain vertices integer data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. Important CVE-2016-4562 SUSE bug 983292 SUSE bug 983305 SUSE bug 983308 SUSE bug 983309 SUSE Linux Enterprise Server 11 SP3-TERADATA The TraceStrokePolygon function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2 mishandles the relationship between the BezierQuantum value and certain strokes data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. Important CVE-2016-4563 SUSE bug 983305 SUSE Linux Enterprise Server 11 SP3-TERADATA The DrawImage function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2 makes an incorrect function call in attempting to locate the next token, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. Critical CVE-2016-4564 SUSE bug 983308 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface. Important CVE-2016-4565 SUSE bug 979548 SUSE bug 980363 SUSE bug 980883 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface. Low CVE-2016-4569 SUSE bug 979213 SUSE bug 979879 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read) via invalid utf-8 encoded data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-4356. Important CVE-2016-4574 SUSE bug 1135436 SUSE bug 979261 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions. Moderate CVE-2016-4578 SUSE bug 1052256 SUSE bug 979879 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-TERADATA Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via unspecified vectors, related to the "returned length of the object from _ksba_ber_parse_tl." Important CVE-2016-4579 SUSE bug 1135436 SUSE bug 979906 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request. Important CVE-2016-4580 SUSE bug 870618 SUSE bug 981267 SUSE bug 985132 SUSE Linux Enterprise Server 11 SP3-TERADATA xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document. Moderate CVE-2016-4658 SUSE bug 1005544 SUSE bug 1014873 SUSE bug 1069433 SUSE bug 1078813 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-TERADATA libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. Moderate CVE-2016-4738 SUSE bug 1005591 SUSE bug 1123130 SUSE Linux Enterprise Server 11 SP3-TERADATA The read_boot function in boot.c in dosfstools before 4.0 allows attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function. Moderate CVE-2016-4804 SUSE bug 980364 SUSE bug 980377 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel before 4.5.2 allows local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions. Important CVE-2016-4805 SUSE bug 980371 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink. Low CVE-2016-4809 SUSE bug 984990 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem. Important CVE-2016-4913 SUSE bug 870618 SUSE bug 980725 SUSE bug 985132 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. Moderate CVE-2016-4953 SUSE bug 962784 SUSE bug 977459 SUSE bug 982056 SUSE bug 982065 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. Moderate CVE-2016-4954 SUSE bug 982056 SUSE bug 982066 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time. Moderate CVE-2016-4955 SUSE bug 982056 SUSE bug 982067 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548. Moderate CVE-2016-4956 SUSE bug 977461 SUSE bug 982056 SUSE bug 982068 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP before 4.2.8p8 allows remote attackers to cause a denial of service (daemon crash) via a crypto-NAK packet. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-1547. Important CVE-2016-4957 SUSE bug 977459 SUSE bug 982056 SUSE bug 982064 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Important CVE-2016-4971 SUSE bug 1023231 SUSE bug 984060 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement. Important CVE-2016-4997 SUSE bug 986362 SUSE bug 986365 SUSE bug 986377 SUSE bug 990058 SUSE bug 991651 SUSE Linux Enterprise Server 11 SP3-TERADATA libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server. Moderate CVE-2016-5008 SUSE bug 987527 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. Moderate CVE-2016-5018 SUSE bug 1007855 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted locale_get_primary_language call. Moderate CVE-2016-5093 SUSE bug 982010 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function. Moderate CVE-2016-5094 SUSE bug 982011 SUSE bug 982012 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the php_escape_html_entities_ex function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from a FILTER_SANITIZE_FULL_SPECIAL_CHARS filter_var call. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-5094. Important CVE-2016-5095 SUSE bug 982011 SUSE bug 982012 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument. Moderate CVE-2016-5096 SUSE bug 982013 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file. Moderate CVE-2016-5102 SUSE bug 983268 SUSE Linux Enterprise Server 11 SP3-TERADATA The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command. Moderate CVE-2016-5105 SUSE bug 982017 SUSE bug 982024 SUSE Linux Enterprise Server 11 SP3-TERADATA The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command. Moderate CVE-2016-5106 SUSE bug 982018 SUSE bug 982025 SUSE Linux Enterprise Server 11 SP3-TERADATA The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors. Moderate CVE-2016-5107 SUSE bug 982019 SUSE bug 982026 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging. Moderate CVE-2016-5114 SUSE bug 982162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbitrary code via a | (pipe) character at the start of a filename. Critical CVE-2016-5118 SUSE bug 982178 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. Moderate CVE-2016-5126 SUSE bug 982285 SUSE bug 982286 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. Important CVE-2016-5131 SUSE bug 1014873 SUSE bug 1069433 SUSE bug 1078813 SUSE bug 1123919 SUSE bug 989901 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot. Moderate CVE-2016-5180 SUSE bug 1007728 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW." Important CVE-2016-5195 SUSE bug 1004418 SUSE bug 1004419 SUSE bug 1004436 SUSE bug 1006323 SUSE bug 1006695 SUSE bug 1008110 SUSE bug 1030118 SUSE bug 1069496 SUSE bug 1149725 SUSE bug 870618 SUSE bug 986445 SUSE bug 987565 SUSE bug 998689 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode. Moderate CVE-2016-5238 SUSE bug 982959 SUSE bug 982960 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel through 4.6.3 does not properly copy a certain string, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message. Moderate CVE-2016-5243 SUSE bug 983212 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a certain structure member, which allows remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message. Moderate CVE-2016-5244 SUSE bug 983213 SUSE bug 990058 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls. Important CVE-2016-5250 SUSE bug 991809 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Stack-based buffer underflow in the mozilla::gfx::BasePoint4d function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code via crafted two-dimensional graphics data that is mishandled during clipping-region calculations. Moderate CVE-2016-5252 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the nsXULPopupManager::KeyDown function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) by leveraging keyboard access to use the Alt key during selection of top-level menu items. Moderate CVE-2016-5254 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4 and Thunderbird < 45.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Important CVE-2016-5257 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the WebRTC socket thread in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code by leveraging incorrect free operations on DTLS objects during the shutdown of a WebRTC session. Important CVE-2016-5258 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the CanonicalizeXPCOMParticipant function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code via a script that closes its own Service Worker within a nested sync event loop. Important CVE-2016-5259 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering. Important CVE-2016-5261 SUSE bug 991809 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript event-handler attributes of a MARQUEE element within a sandboxed IFRAME element that lacks the sandbox="allow-scripts" attribute value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. Moderate CVE-2016-5262 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The nsDisplayList::HitTest function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 mishandles rendering display transformation, which allows remote attackers to execute arbitrary code via a crafted web site that leverages "type confusion." Moderate CVE-2016-5263 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the nsNodeUtils::NativeAnonymousChildListChange function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an SVG element that is mishandled during effect application. Moderate CVE-2016-5264 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and conduct Universal XSS (UXSS) attacks or read arbitrary files, by arranging for the presence of a crafted HTML document and a crafted shortcut file in the same local directory. Moderate CVE-2016-5265 SUSE bug 991809 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in the nsCaseTransformTextRunFactory::TransformString function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to cause a denial of service (boolean out-of-bounds write) or possibly have unspecified other impact via Unicode characters that are mishandled during text conversion. Important CVE-2016-5270 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The nsImageGeometryMixin class in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 does not properly perform a cast of an unspecified variable during handling of INPUT elements, which allows remote attackers to execute arbitrary code via a crafted web site. Important CVE-2016-5272 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the nsFrameManager::CaptureFrameState function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between restyling and the Web Animations model implementation. Important CVE-2016-5274 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the mozilla::a11y::DocAccessible::ProcessInvalidationList function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an aria-owns attribute. Important CVE-2016-5276 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the nsRefreshDriver::Tick function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging improper interaction between timeline destruction and the Web Animations model implementation. Important CVE-2016-5277 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in the nsBMPEncoder::AddImageFrame function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code via a crafted image data that is mishandled during the encoding of an image frame to an image. Important CVE-2016-5278 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code via bidirectional text. Important CVE-2016-5280 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the DOMSVGLength class in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between JavaScript code and an SVG document. Important CVE-2016-5281 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority. Important CVE-2016-5284 SUSE bug 999701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2016-5285 SUSE bug 1010517 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory safety bugs were reported in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. Important CVE-2016-5290 SUSE bug 1009026 SUSE bug 1010427 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. Moderate CVE-2016-5291 SUSE bug 1009026 SUSE bug 1010410 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. Important CVE-2016-5296 SUSE bug 1009026 SUSE bug 1010395 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. Moderate CVE-2016-5297 SUSE bug 1009026 SUSE bug 1010401 SUSE Linux Enterprise Server 11 SP3-TERADATA The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. Moderate CVE-2016-5300 SUSE bug 983216 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the PixarLogDecode function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by overwriting the vgetparent function pointer with rgb2ycbcr. Moderate CVE-2016-5314 SUSE bug 984831 SUSE bug 987351 SUSE Linux Enterprise Server 11 SP3-TERADATA The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image. Moderate CVE-2016-5315 SUSE bug 984809 SUSE Linux Enterprise Server 11 SP3-TERADATA Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool. Moderate CVE-2016-5316 SUSE bug 984837 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the PixarLogDecode function in libtiff.so in the PixarLogDecode function in libtiff 4.0.6 and earlier, as used in GNOME nautilus, allows attackers to cause a denial of service attack (crash) via a crafted TIFF file. Moderate CVE-2016-5317 SUSE bug 984842 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the _TIFFVGetField function in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted tiff. Moderate CVE-2016-5318 SUSE bug 1007276 SUSE bug 1017690 SUSE bug 1040322 SUSE bug 960341 SUSE bug 974621 SUSE bug 983436 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted bmp file. Moderate CVE-2016-5319 SUSE bug 1074186 SUSE bug 1150480 SUSE bug 983440 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-5314. Reason: This candidate is a reservation duplicate of CVE-2016-5314. Notes: All CVE users should reference CVE-2016-5314 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Low CVE-2016-5320 SUSE bug 1007284 SUSE bug 984808 SUSE bug 987351 SUSE Linux Enterprise Server 11 SP3-TERADATA The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information. Moderate CVE-2016-5337 SUSE bug 983961 SUSE bug 983973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer. Important CVE-2016-5338 SUSE bug 983982 SUSE bug 983984 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-dcerpc-spoolss.c in the SPOOLS component in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles unexpected offsets, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Important CVE-2016-5350 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/crypt/airpdcap.c in the IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles the lack of an EAPOL_RSN_KEY, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Important CVE-2016-5351 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/crypt/airpdcap.c in the IEEE 802.11 dissector in Wireshark 2.x before 2.0.4 mishandles certain length values, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Important CVE-2016-5352 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles the reserved C/T value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Important CVE-2016-5353 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA The USB subsystem in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles class types, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Important CVE-2016-5354 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA wiretap/toshiba.c in the Toshiba file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service (application crash) via a crafted file. Important CVE-2016-5355 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA wiretap/cosine.c in the CoSine file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service (application crash) via a crafted file. Important CVE-2016-5356 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA wiretap/netscreen.c in the NetScreen file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service (application crash) via a crafted file. Important CVE-2016-5357 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-pktap.c in the Ethernet dissector in Wireshark 2.x before 2.0.4 mishandles the packet-header data type, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Important CVE-2016-5358 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark 1.12.x before 1.12.12 mishandles offsets, which allows remote attackers to cause a denial of service (integer overflow and infinite loop) via a crafted packet. Important CVE-2016-5359 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file. Moderate CVE-2016-5384 SUSE bug 1123116 SUSE bug 992534 SUSE Linux Enterprise Server 11 SP3-TERADATA The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. Moderate CVE-2016-5387 SUSE bug 988484 SUSE bug 988486 SUSE bug 988487 SUSE bug 988488 SUSE bug 988489 SUSE bug 988491 SUSE bug 988492 SUSE bug 989125 SUSE bug 989174 SUSE bug 989684 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability. Moderate CVE-2016-5388 SUSE bug 988484 SUSE bug 988486 SUSE bug 988487 SUSE bug 988488 SUSE bug 988489 SUSE bug 988491 SUSE bug 988492 SUSE bug 989125 SUSE bug 989174 SUSE Linux Enterprise Server 11 SP3-TERADATA The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive. Important CVE-2016-5399 SUSE bug 991430 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. Low CVE-2016-5403 SUSE bug 990923 SUSE bug 991080 SUSE Linux Enterprise Server 11 SP3-TERADATA The (1) XvQueryAdaptors and (2) XvQueryEncodings functions in X.org libXv before 1.0.11 allow remote X servers to trigger out-of-bounds memory access operations via vectors involving length specifications in received data. Moderate CVE-2016-5407 SUSE bug 1003017 SUSE bug 1123148 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. Moderate CVE-2016-5419 SUSE bug 1033413 SUSE bug 1033442 SUSE bug 991389 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. Moderate CVE-2016-5420 SUSE bug 991390 SUSE bug 997420 SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types. Important CVE-2016-5423 SUSE bug 1041981 SUSE bug 1042497 SUSE bug 1052683 SUSE bug 993454 SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation. Important CVE-2016-5424 SUSE bug 1041981 SUSE bug 1042497 SUSE bug 1052683 SUSE bug 993453 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote administrators to affect availability via vectors related to Server: RBR. Important CVE-2016-5440 SUSE bug 989926 SUSE bug 991616 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-3600. Reason: This candidate is a reservation duplicate of CVE-2017-3600. Notes: All CVE users should reference CVE-2017-3600 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2016-5483 SUSE bug 1001367 SUSE bug 1005555 SUSE bug 1005557 SUSE bug 1005561 SUSE bug 1005562 SUSE bug 1005563 SUSE bug 1005564 SUSE bug 1005566 SUSE bug 1005569 SUSE bug 1005570 SUSE bug 1005582 SUSE bug 1020875 SUSE bug 1020876 SUSE bug 1020877 SUSE bug 1020878 SUSE bug 1020882 SUSE bug 1020883 SUSE bug 1020884 SUSE bug 1020885 SUSE bug 1020888 SUSE bug 1020890 SUSE bug 1020891 SUSE bug 1020893 SUSE bug 1020894 SUSE bug 1020896 SUSE bug 1020898 SUSE bug 1020901 SUSE bug 1022428 SUSE bug 1029014 SUSE bug 1029396 SUSE bug 1034850 SUSE bug 1049393 SUSE bug 1049394 SUSE bug 1049396 SUSE bug 1049399 SUSE bug 1049400 SUSE bug 1049401 SUSE bug 1049402 SUSE bug 1049403 SUSE bug 1049404 SUSE bug 1049405 SUSE bug 1049406 SUSE bug 1049407 SUSE bug 1049408 SUSE bug 1049409 SUSE bug 1049410 SUSE bug 1049411 SUSE bug 1049412 SUSE bug 1049414 SUSE bug 1049415 SUSE bug 1049416 SUSE bug 1049417 SUSE bug 1064101 SUSE bug 1064107 SUSE bug 1064115 SUSE bug 1064116 SUSE bug 1064117 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect integrity via vectors related to Libraries. Moderate CVE-2016-5542 SUSE bug 1005522 SUSE bug 1009280 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect integrity via vectors related to JMX. Moderate CVE-2016-5554 SUSE bug 1005523 SUSE bug 1009280 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D. Important CVE-2016-5556 SUSE bug 1005524 SUSE bug 1009280 SUSE bug 1016265 SUSE bug 1016289 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. Important CVE-2016-5568 SUSE bug 1005525 SUSE bug 1009280 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5582. Important CVE-2016-5573 SUSE bug 1005526 SUSE bug 1009280 SUSE Linux Enterprise Server 11 SP3-TERADATA Unspecified vulnerability in Oracle MySQL 5.5.52 and earlier, 5.6.33 and earlier, and 5.7.15 and earlier allows remote administrators to affect confidentiality via vectors related to Server: Security: Encryption. Moderate CVE-2016-5584 SUSE bug 1005558 SUSE bug 1008318 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect confidentiality via vectors related to Networking. Moderate CVE-2016-5597 SUSE bug 1005528 SUSE bug 1009280 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. Important CVE-2016-5636 SUSE bug 1065451 SUSE bug 1095424 SUSE bug 1106262 SUSE bug 985177 SUSE Linux Enterprise Server 11 SP3-TERADATA An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF's TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means. Important CVE-2016-5652 SUSE bug 1007280 SUSE Linux Enterprise Server 11 SP3-TERADATA The VerticalFilter function in the DDS coder in ImageMagick before 6.9.4-3 and 7.x before 7.0.1-4 allows remote attackers to have unspecified impact via a crafted DDS file, which triggers an out-of-bounds read. Critical CVE-2016-5687 SUSE bug 1000713 SUSE bug 1000714 SUSE bug 1074610 SUSE bug 985448 SUSE Linux Enterprise Server 11 SP3-TERADATA The WPG parser in ImageMagick before 6.9.4-4 and 7.x before 7.0.1-5, when a memory limit is set, allows remote attackers to have unspecified impact via vectors related to the SetImageExtent return-value check, which trigger (1) a heap-based buffer overflow in the SetPixelIndex function or an invalid write operation in the (2) ScaleCharToQuantum or (3) SetPixelIndex functions. Important CVE-2016-5688 SUSE bug 985442 SUSE Linux Enterprise Server 11 SP3-TERADATA The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact by leveraging lack of NULL pointer checks. Critical CVE-2016-5689 SUSE bug 985460 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact via vectors involving the for statement in computing the pixel scaling table. Critical CVE-2016-5690 SUSE bug 985451 SUSE bug 985460 SUSE Linux Enterprise Server 11 SP3-TERADATA The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact by leveraging lack of validation of (1) pixel.red, (2) pixel.green, and (3) pixel.blue. Critical CVE-2016-5691 SUSE bug 985456 SUSE bug 985460 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack. Moderate CVE-2016-5696 SUSE bug 989152 SUSE bug 994167 SUSE Linux Enterprise Server 11 SP3-TERADATA CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. Moderate CVE-2016-5699 SUSE bug 1122729 SUSE bug 1130840 SUSE bug 985348 SUSE bug 985351 SUSE bug 986630 SUSE Linux Enterprise Server 11 SP3-TERADATA libstorage, libstorage-ng, and yast-storage improperly store passphrases for encrypted storage devices in a temporary file on disk, which might allow local users to obtain sensitive information by reading the file, as demonstrated by /tmp/libstorage-XXXXXX/pwdf. Moderate CVE-2016-5746 SUSE bug 984245 SUSE bug 986971 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via crafted chunk dimensions in an image. Moderate CVE-2016-5766 SUSE bug 986386 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the gdImageCreate function in gd.c in the GD Graphics Library (aka libgd) before 2.0.34RC1, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted image dimensions. Moderate CVE-2016-5767 SUSE bug 986393 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in mcrypt.c in the mcrypt extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions. Moderate CVE-2016-5769 SUSE bug 986388 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data. Moderate CVE-2016-5771 SUSE bug 986247 SUSE bug 986391 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call. Moderate CVE-2016-5772 SUSE bug 986244 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object. Moderate CVE-2016-5773 SUSE bug 986247 SUSE bug 986391 SUSE Linux Enterprise Server 11 SP3-TERADATA The icalproperty_new_clone function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file. Moderate CVE-2016-5823 SUSE bug 986632 SUSE Linux Enterprise Server 11 SP3-TERADATA libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file. Moderate CVE-2016-5824 SUSE bug 1015964 SUSE bug 1122983 SUSE bug 986631 SUSE bug 986639 SUSE bug 986642 SUSE bug 986658 SUSE Linux Enterprise Server 11 SP3-TERADATA The icalparser_parse_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted ics file. Moderate CVE-2016-5825 SUSE bug 986631 SUSE bug 986639 SUSE bug 986642 SUSE bug 986658 SUSE Linux Enterprise Server 11 SP3-TERADATA The parser_get_next_char function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) by crafting a string to the icalparser_parse_string function. Moderate CVE-2016-5826 SUSE bug 986631 SUSE bug 986639 SUSE bug 986642 SUSE bug 986658 SUSE Linux Enterprise Server 11 SP3-TERADATA The icaltime_from_string function in libical 0.47 and 1.0 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted string to the icalparser_parse_string function. Moderate CVE-2016-5827 SUSE bug 986631 SUSE bug 986639 SUSE bug 986642 SUSE bug 986658 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. Important CVE-2016-5829 SUSE bug 1053919 SUSE bug 1054127 SUSE bug 986572 SUSE bug 986573 SUSE bug 990058 SUSE bug 991651 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of service (segmentation fault) or possibly execute arbitrary code via vectors involving the offset variable. Important CVE-2016-5841 SUSE bug 986609 SUSE Linux Enterprise Server 11 SP3-TERADATA MagickCore/property.c in ImageMagick before 7.0.2-1 allows remote attackers to obtain sensitive memory information via vectors involving the q variable, which triggers an out-of-bounds read. Moderate CVE-2016-5842 SUSE bug 986608 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-5314. Reason: This candidate is a reservation duplicate of CVE-2016-5314. Notes: All CVE users should reference CVE-2016-5314 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Important CVE-2016-5875 SUSE bug 1007284 SUSE bug 984809 SUSE bug 984831 SUSE bug 987351 SUSE Linux Enterprise Server 11 SP3-TERADATA os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files. Low CVE-2016-6153 SUSE bug 1149969 SUSE bug 987394 SUSE Linux Enterprise Server 11 SP3-TERADATA The output function in gd_gif_out.c in the GD Graphics Library (aka libgd) allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image. Low CVE-2016-6161 SUSE bug 988032 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message. Moderate CVE-2016-6170 SUSE bug 987866 SUSE Linux Enterprise Server 11 SP3-TERADATA The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. Important CVE-2016-6185 SUSE bug 988311 SUSE bug 999993 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided. Moderate CVE-2016-6210 SUSE bug 1001712 SUSE bug 1087412 SUSE bug 1105010 SUSE bug 1138392 SUSE bug 989363 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries. Important CVE-2016-6258 SUSE bug 988675 SUSE bug 988692 SUSE Linux Enterprise Server 11 SP3-TERADATA The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via 64 bytes of input. Low CVE-2016-6261 SUSE bug 1118435 SUSE bug 990190 SUSE Linux Enterprise Server 11 SP3-TERADATA idn in libidn before 1.33 might allow remote attackers to obtain sensitive memory information by reading a zero byte as input, which triggers an out-of-bounds read, a different vulnerability than CVE-2015-8948. Low CVE-2016-6262 SUSE bug 1014473 SUSE bug 990189 SUSE Linux Enterprise Server 11 SP3-TERADATA The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted UTF-8 data. Low CVE-2016-6263 SUSE bug 1118435 SUSE bug 990191 SUSE Linux Enterprise Server 11 SP3-TERADATA The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type. Moderate CVE-2016-6288 SUSE bug 991433 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive. Moderate CVE-2016-6289 SUSE bug 991428 SUSE Linux Enterprise Server 11 SP3-TERADATA ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization. Important CVE-2016-6290 SUSE bug 991429 SUSE Linux Enterprise Server 11 SP3-TERADATA The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image. Moderate CVE-2016-6291 SUSE bug 991427 SUSE Linux Enterprise Server 11 SP3-TERADATA The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument. Low CVE-2016-6293 SUSE bug 1035111 SUSE bug 1123121 SUSE bug 990636 SUSE Linux Enterprise Server 11 SP3-TERADATA The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument. Low CVE-2016-6294 SUSE bug 1035111 SUSE bug 1044976 SUSE bug 990636 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function. Important CVE-2016-6296 SUSE bug 991437 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL. Important CVE-2016-6297 SUSE bug 991426 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short. Moderate CVE-2016-6302 SUSE bug 994844 SUSE bug 995324 SUSE bug 999665 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. Moderate CVE-2016-6303 SUSE bug 994844 SUSE bug 995377 SUSE bug 999665 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. Important CVE-2016-6304 SUSE bug 1001706 SUSE bug 1003811 SUSE bug 1005579 SUSE bug 1021375 SUSE bug 999665 SUSE bug 999666 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. Moderate CVE-2016-6306 SUSE bug 999665 SUSE bug 999668 SUSE Linux Enterprise Server 11 SP3-TERADATA The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits. Moderate CVE-2016-6313 SUSE bug 1123792 SUSE bug 994157 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer. Moderate CVE-2016-6318 SUSE bug 1123113 SUSE bug 992966 SUSE Linux Enterprise Server 11 SP3-TERADATA Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER. Important CVE-2016-6321 SUSE bug 1007188 SUSE bug 1123796 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack. Moderate CVE-2016-6329 SUSE bug 1026864 SUSE bug 995374 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer. Moderate CVE-2016-6351 SUSE bug 990835 SUSE bug 990843 SUSE Linux Enterprise Server 11 SP3-TERADATA The OneLine32 function in io-ico.c in gdk-pixbuf before 2.35.3 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file. Moderate CVE-2016-6352 SUSE bug 991450 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read. Moderate CVE-2016-6354 SUSE bug 1026047 SUSE bug 1035082 SUSE bug 1035209 SUSE bug 990856 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. Moderate CVE-2016-6480 SUSE bug 1004418 SUSE bug 991608 SUSE bug 991667 SUSE bug 992568 SUSE Linux Enterprise Server 11 SP3-TERADATA The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer. Low CVE-2016-6490 SUSE bug 991466 SUSE bug 993854 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the Get8BIMProperty function in MagickCore/property.c in ImageMagick before 6.9.5-4 and 7.x before 7.0.2-6 allows remote attackers to cause a denial of service (out-of-bounds read, memory leak, and crash) via a crafted image. Moderate CVE-2016-6491 SUSE bug 991445 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-ncp2222.inc in the NDS dissector in Wireshark 1.12.x before 1.12.13 does not properly maintain a ptvc data structure, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet. Moderate CVE-2016-6504 SUSE bug 991012 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-packetbb.c in the PacketBB dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted packet. Moderate CVE-2016-6505 SUSE bug 991013 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-wsp.c in the WSP dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Moderate CVE-2016-6506 SUSE bug 991015 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-mmse.c in the MMSE dissector in Wireshark 1.12.x before 1.12.13 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. Moderate CVE-2016-6507 SUSE bug 991016 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (large loop) via a crafted packet. Moderate CVE-2016-6508 SUSE bug 991017 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-ldss.c in the LDSS dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 mishandles conversations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2016-6509 SUSE bug 991018 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet. Moderate CVE-2016-6510 SUSE bug 991019 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/proto.c in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (OpenFlow dissector large loop) via a crafted packet. Moderate CVE-2016-6511 SUSE bug 991020 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. Moderate CVE-2016-6515 SUSE bug 1087412 SUSE bug 992533 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in MagickCore/enhance.c in ImageMagick before 7.0.2-7 allows remote attackers to have unspecified impact via vectors related to pixel cache morphology. Moderate CVE-2016-6520 SUSE bug 991872 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15. Important CVE-2016-6662 SUSE bug 1001367 SUSE bug 1005580 SUSE bug 1020873 SUSE bug 1020884 SUSE bug 1021755 SUSE bug 998309 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. Low CVE-2016-6794 SUSE bug 1007857 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. Moderate CVE-2016-6796 SUSE bug 1007858 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. Low CVE-2016-6797 SUSE bug 1007853 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. Moderate CVE-2016-6816 SUSE bug 1011812 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the BMP coder in ImageMagick before 7.0.2-10 allows remote attackers to cause a denial of service (crash) via crafted height and width values, which triggers an out-of-bounds write. Moderate CVE-2016-6823 SUSE bug 1001066 SUSE bug 1002207 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option. Moderate CVE-2016-6828 SUSE bug 1052256 SUSE bug 994296 SUSE OpenStack Cloud 5 The trove service user in (1) Openstack deployment (aka crowbar-openstack) and (2) Trove Barclamp (aka barclamp-trove and crowbar-barclamp-trove) in the Crowbar Framework has a default password, which makes it easier for remote attackers to obtain access via unspecified vectors. Critical CVE-2016-6829 SUSE bug 991729 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account. Moderate CVE-2016-6893 SUSE bug 995352 SUSE bug 997205 SUSE Linux Enterprise Server 11 SP3-TERADATA The dynamicGetbuf function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF image. Moderate CVE-2016-6911 SUSE bug 1004924 SUSE bug 1005274 SUSE Linux Enterprise Server 11 SP3-TERADATA sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function. Moderate CVE-2016-7032 SUSE bug 1007501 SUSE bug 1007766 SUSE bug 1011975 SUSE bug 1011976 SUSE bug 1149974 SUSE bug 1149975 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. Moderate CVE-2016-7042 SUSE bug 1004517 SUSE bug 1025354 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys. Moderate CVE-2016-7056 SUSE bug 1005878 SUSE bug 1018910 SUSE bug 1019334 SUSE bug 1025347 SUSE Linux Enterprise Server 11 SP3-TERADATA sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges. Moderate CVE-2016-7076 SUSE bug 1007501 SUSE bug 1011975 SUSE bug 1011976 SUSE bug 1149974 SUSE bug 1149975 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables. Important CVE-2016-7092 SUSE bug 995785 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update. Moderate CVE-2016-7094 SUSE bug 995792 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. Moderate CVE-2016-7097 SUSE bug 1021258 SUSE bug 1052256 SUSE bug 870618 SUSE bug 995968 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open. Important CVE-2016-7098 SUSE bug 995964 SUSE Linux Enterprise Server 11 SP3-TERADATA The SGI coder in ImageMagick before 7.0.2-10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large row value in an sgi file. Moderate CVE-2016-7101 SUSE bug 1001221 SUSE bug 1002207 SUSE Linux Enterprise Server 11 SP3-TERADATA Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string. Low CVE-2016-7116 SUSE bug 996441 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel before 4.5.2 allows remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing. Important CVE-2016-7117 SUSE bug 1003077 SUSE bug 1003253 SUSE bug 1057478 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call. Moderate CVE-2016-7124 SUSE bug 997206 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection. Important CVE-2016-7125 SUSE bug 997207 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate the number of colors, which allows remote attackers to cause a denial of service (select_colors allocation error and out-of-bounds write) or possibly have unspecified other impact via a large value in the third argument. Important CVE-2016-7126 SUSE bug 997208 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate gamma values, which allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by providing different signs for the second and third arguments. Important CVE-2016-7127 SUSE bug 997210 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image. Moderate CVE-2016-7128 SUSE bug 997211 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a dateTime element in a wddxPacket XML document. Important CVE-2016-7129 SUSE bug 997220 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid base64 binary value, as demonstrated by a wddx_deserialize call that mishandles a binary element in a wddxPacket XML document. Important CVE-2016-7130 SUSE bug 997257 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag that lacks a < (less than) character. Important CVE-2016-7131 SUSE bug 997225 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray element inside a boolean element, leading to incorrect pop processing. Important CVE-2016-7132 SUSE bug 997230 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. Low CVE-2016-7141 SUSE bug 991390 SUSE bug 997420 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. Important CVE-2016-7161 SUSE bug 1001151 SUSE bug 1001152 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. Moderate CVE-2016-7167 SUSE bug 998760 SUSE Linux Enterprise Server 11 SP3-TERADATA The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command. Low CVE-2016-7170 SUSE bug 998516 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-qnet6.c in the QNX6 QNET dissector in Wireshark 2.x before 2.0.6 mishandles MAC address data, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. Moderate CVE-2016-7175 SUSE bug 998099 SUSE bug 998761 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-h225.c in the H.225 dissector in Wireshark 2.x before 2.0.6 calls snprintf with one of its input buffers as the output buffer, which allows remote attackers to cause a denial of service (copy overlap and application crash) via a crafted packet. Moderate CVE-2016-7176 SUSE bug 998099 SUSE bug 998762 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-catapult-dct2000.c in the Catapult DCT2000 dissector in Wireshark 2.x before 2.0.6 does not restrict the number of channels, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet. Moderate CVE-2016-7177 SUSE bug 998099 SUSE bug 998763 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 2.x before 2.0.6 does not ensure that memory is allocated for certain data structures, which allows remote attackers to cause a denial of service (invalid write access and application crash) via a crafted packet. Moderate CVE-2016-7178 SUSE bug 998099 SUSE bug 998964 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in epan/dissectors/packet-catapult-dct2000.c in the Catapult DCT2000 dissector in Wireshark 2.x before 2.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted packet. Moderate CVE-2016-7179 SUSE bug 998099 SUSE bug 998963 SUSE Linux Enterprise Server 11 SP3-TERADATA epan/dissectors/packet-ipmi-trace.c in the IPMI trace dissector in Wireshark 2.x before 2.0.6 does not properly consider whether a string is constant, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet. Moderate CVE-2016-7180 SUSE bug 998099 SUSE bug 998800 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object. Moderate CVE-2016-7411 SUSE bug 999682 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata. Moderate CVE-2016-7412 SUSE bug 999680 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call. Moderate CVE-2016-7413 SUSE bug 999679 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c. Moderate CVE-2016-7414 SUSE bug 999820 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument. Important CVE-2016-7416 SUSE bug 999685 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data. Important CVE-2016-7417 SUSE bug 999684 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. Important CVE-2016-7418 SUSE bug 999819 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. Moderate CVE-2016-7425 SUSE bug 1025354 SUSE bug 999932 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address. Moderate CVE-2016-7426 SUSE bug 1011406 SUSE bug 1011421 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet. Moderate CVE-2016-7427 SUSE bug 1011390 SUSE bug 1011421 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet. Moderate CVE-2016-7428 SUSE bug 1011417 SUSE bug 1011421 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p9 changes the peer structure to the interface it receives the response from a source, which allows remote attackers to cause a denial of service (prevent communication with a source) by sending a response for a source to an interface the source does not use. Low CVE-2016-7429 SUSE bug 1011404 SUSE bug 1011421 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protection mechanism via an origin timestamp of zero. NOTE: this vulnerability exists because of a CVE-2015-8138 regression. Moderate CVE-2016-7431 SUSE bug 1011395 SUSE bug 1011421 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion." Low CVE-2016-7433 SUSE bug 1011411 SUSE bug 1011421 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query. Moderate CVE-2016-7434 SUSE bug 1011398 SUSE bug 1011421 SUSE Linux Enterprise Server 11 SP3-TERADATA The C software implementation of AES Encryption and Decryption in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover AES keys by leveraging cache-bank timing differences. Moderate CVE-2016-7440 SUSE bug 1005581 SUSE bug 1008318 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876. Important CVE-2016-7478 SUSE bug 1019550 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadPSDChannelPixels function in coders/psd.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PSD file. Moderate CVE-2016-7514 SUSE bug 1000688 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadRLEImage function in coders/rle.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the number of pixels. Moderate CVE-2016-7515 SUSE bug 1000689 SUSE bug 1000695 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadVIFFImage function in coders/viff.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted VIFF file. Moderate CVE-2016-7516 SUSE bug 1000692 SUSE bug 1000693 SUSE bug 1000695 SUSE Linux Enterprise Server 11 SP3-TERADATA The EncodeImage function in coders/pict.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PICT file. Moderate CVE-2016-7517 SUSE bug 1000693 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadSUNImage function in coders/sun.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted SUN file. Moderate CVE-2016-7518 SUSE bug 1000694 SUSE bug 1028079 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadRLEImage function in coders/rle.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. Moderate CVE-2016-7519 SUSE bug 1000689 SUSE bug 1000695 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadPSDImage function in MagickCore/locale.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PSD file. Moderate CVE-2016-7522 SUSE bug 1000698 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2016-7523 SUSE bug 1000699 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2016-7524 SUSE bug 1000700 SUSE bug 1002422 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in coders/psd.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PSD file. Moderate CVE-2016-7525 SUSE bug 1000688 SUSE bug 1000701 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/wpg.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file. Moderate CVE-2016-7526 SUSE bug 1000436 SUSE bug 1000702 SUSE bug 1107616 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/wpg.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. Moderate CVE-2016-7527 SUSE bug 1000436 SUSE bug 1000702 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadVIFFImage function in coders/viff.c in ImageMagick allows remote attackers to cause a denial of service (segmentation fault) via a crafted VIFF file. Moderate CVE-2016-7528 SUSE bug 1000434 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/xcf.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted XCF file. Moderate CVE-2016-7529 SUSE bug 1000399 SUSE bug 1000434 SUSE bug 1000703 SUSE bug 1054924 SUSE Linux Enterprise Server 11 SP3-TERADATA The quantum handling code in ImageMagick allows remote attackers to cause a denial of service (divide-by-zero error or out-of-bounds write) via a crafted file. Moderate CVE-2016-7530 SUSE bug 1000399 SUSE bug 1000703 SUSE bug 1054924 SUSE Linux Enterprise Server 11 SP3-TERADATA MagickCore/memory.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted PDB file. Moderate CVE-2016-7531 SUSE bug 1000704 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadWPGImage function in coders/wpg.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WPG file. Moderate CVE-2016-7533 SUSE bug 1000707 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/psd.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted PSD file. Moderate CVE-2016-7535 SUSE bug 1000709 SUSE Linux Enterprise Server 11 SP3-TERADATA MagickCore/memory.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted PDB file. Moderate CVE-2016-7537 SUSE bug 1000711 SUSE Linux Enterprise Server 11 SP3-TERADATA Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables. Important CVE-2016-7543 SUSE bug 1001299 SUSE Linux Enterprise Server 11 SP3-TERADATA SELinux policycoreutils allows local users to execute arbitrary commands outside of the sandbox via a crafted TIOCSTI ioctl call. Moderate CVE-2016-7545 SUSE bug 1000998 SUSE bug 968375 SUSE bug 968674 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it. Moderate CVE-2016-7777 SUSE bug 1000106 SUSE Linux Enterprise Server 11 SP3-TERADATA MagickCore/profile.c in ImageMagick before 7.0.3-2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. Moderate CVE-2016-7799 SUSE bug 1002421 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the parse8BIM function in coders/meta.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted 8BIM chunk, which triggers a heap-based buffer overflow. Moderate CVE-2016-7800 SUSE bug 1002422 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. Moderate CVE-2016-7908 SUSE bug 1002550 SUSE bug 1003030 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0. Moderate CVE-2016-7909 SUSE bug 1002557 SUSE bug 1003032 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed. Moderate CVE-2016-7910 SUSE bug 1010716 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call. Moderate CVE-2016-7911 SUSE bug 1010711 SUSE bug 1010713 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver. Moderate CVE-2016-7915 SUSE bug 1010470 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE OpenStack Cloud 5 Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete. Moderate CVE-2016-7916 SUSE bug 1010467 SUSE Linux Enterprise Server 11 SP3-TERADATA The AH parser in tcpdump before 4.9.0 has a buffer overflow in print-ah.c:ah_print(). Moderate CVE-2016-7922 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The ARP parser in tcpdump before 4.9.0 has a buffer overflow in print-arp.c:arp_print(). Moderate CVE-2016-7923 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The compressed SLIP parser in tcpdump before 4.9.0 has a buffer overflow in print-sl.c:sl_if_print(). Moderate CVE-2016-7925 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The Ethernet parser in tcpdump before 4.9.0 has a buffer overflow in print-ether.c:ethertype_print(). Moderate CVE-2016-7926 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The IEEE 802.11 parser in tcpdump before 4.9.0 has a buffer overflow in print-802_11.c:ieee802_11_radio_print(). Moderate CVE-2016-7927 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The IPComp parser in tcpdump before 4.9.0 has a buffer overflow in print-ipcomp.c:ipcomp_print(). Moderate CVE-2016-7928 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The MPLS parser in tcpdump before 4.9.0 has a buffer overflow in print-mpls.c:mpls_print(). Moderate CVE-2016-7931 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The RTCP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtcp_print(). Moderate CVE-2016-7934 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The RTP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtp_print(). Moderate CVE-2016-7935 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The UDP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:udp_print(). Moderate CVE-2016-7936 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The VAT parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:vat_print(). Moderate CVE-2016-7937 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The GRE parser in tcpdump before 4.9.0 has a buffer overflow in print-gre.c, multiple functions. Moderate CVE-2016-7939 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The STP parser in tcpdump before 4.9.0 has a buffer overflow in print-stp.c, multiple functions. Moderate CVE-2016-7940 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving image type and geometry, which triggers out-of-bounds read operations. Moderate CVE-2016-7942 SUSE bug 1002991 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync. Moderate CVE-2016-7944 SUSE bug 1002995 SUSE bug 1149962 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXi before 1.7.7 allow remote X servers to cause a denial of service (out-of-bounds memory access or infinite loop) via vectors involving length fields. Moderate CVE-2016-7945 SUSE bug 1002998 SUSE bug 1134167 SUSE Linux Enterprise Server 11 SP3-TERADATA X.org libXi before 1.7.7 allows remote X servers to cause a denial of service (infinite loop) via vectors involving length fields. Moderate CVE-2016-7946 SUSE bug 1002998 SUSE bug 1134167 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response. Moderate CVE-2016-7947 SUSE bug 1003000 SUSE Linux Enterprise Server 11 SP3-TERADATA X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data. Moderate CVE-2016-7948 SUSE bug 1003000 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in the (1) XvQueryAdaptors and (2) XvQueryEncodings functions in X.org libXrender before 0.9.10 allow remote X servers to trigger out-of-bounds write operations via vectors involving length fields. Moderate CVE-2016-7949 SUSE bug 1003002 SUSE bug 1015442 SUSE bug 1123146 SUSE Linux Enterprise Server 11 SP3-TERADATA The XRenderQueryFilters function in X.org libXrender before 0.9.10 allows remote X servers to trigger out-of-bounds write operations via vectors involving filter name lengths. Moderate CVE-2016-7950 SUSE bug 1003002 SUSE bug 1015442 SUSE bug 1123146 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in X.org libXtst before 1.2.3 allow remote X servers to trigger out-of-bounds memory access operations by leveraging the lack of range checks. Moderate CVE-2016-7951 SUSE bug 1003012 SUSE Linux Enterprise Server 11 SP3-TERADATA X.org libXtst before 1.2.3 allows remote X servers to cause a denial of service (infinite loop) via a reply in the (1) XRecordStartOfData, (2) XRecordEndOfData, or (3) XRecordClientDied category without a client sequence and with attached data. Moderate CVE-2016-7952 SUSE bug 1003012 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer underflow in X.org libXvMC before 1.0.10 allows remote X servers to have unspecified impact via an empty string. Moderate CVE-2016-7953 SUSE bug 1003023 SUSE Linux Enterprise Server 11 SP3-TERADATA The AppleTalk parser in tcpdump before 4.9.0 has a buffer overflow in print-atalk.c, multiple functions. Moderate CVE-2016-7973 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The IP parser in tcpdump before 4.9.0 has a buffer overflow in print-ip.c, multiple functions. Moderate CVE-2016-7974 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The TCP parser in tcpdump before 4.9.0 has a buffer overflow in print-tcp.c:tcp_print(). Moderate CVE-2016-7975 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document. Important CVE-2016-7977 SUSE bug 1001951 SUSE bug 1004237 SUSE bug 1095610 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser. Important CVE-2016-7979 SUSE bug 1001951 SUSE bug 1004237 SUSE Linux Enterprise Server 11 SP3-TERADATA The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print(). Moderate CVE-2016-7983 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The TFTP parser in tcpdump before 4.9.0 has a buffer overflow in print-tftp.c:tftp_print(). Moderate CVE-2016-7984 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The Classical IP over ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-cip.c:cip_if_print(). Moderate CVE-2016-7992 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA A bug in util-print.c:relts_print() in tcpdump before 4.9.0 could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). Moderate CVE-2016-7993 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to have unspecified impact via a colormap with a large number of entries. Moderate CVE-2016-7996 SUSE bug 1003629 SUSE bug 1067184 SUSE Linux Enterprise Server 11 SP3-TERADATA The WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (assertion failure and crash) via vectors related to a ReferenceBlob and a NULL pointer. Moderate CVE-2016-7997 SUSE bug 1003629 SUSE Linux Enterprise Server 11 SP3-TERADATA An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF version 4.0.6. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality. Important CVE-2016-8331 SUSE bug 1007276 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31349935. Moderate CVE-2016-8399 SUSE bug 1014746 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31651010. Moderate CVE-2016-8405 SUSE bug 1099942 SUSE Linux Enterprise Server 11 SP3-TERADATA The FRF.15 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:frf15_print(). Moderate CVE-2016-8574 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process. Moderate CVE-2016-8576 SUSE bug 1003878 SUSE bug 1004016 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation. Moderate CVE-2016-8577 SUSE bug 1003893 SUSE bug 1004021 SUSE Linux Enterprise Server 11 SP3-TERADATA The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation. Moderate CVE-2016-8578 SUSE bug 1003894 SUSE bug 1004023 SUSE Linux Enterprise Server 11 SP3-TERADATA The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack. Moderate CVE-2016-8602 SUSE bug 1001951 SUSE bug 1004237 SUSE bug 1036453 SUSE Linux Enterprise Server 11 SP3-TERADATA The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected. Low CVE-2016-8605 SUSE bug 1004221 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. Moderate CVE-2016-8610 SUSE bug 1005878 SUSE bug 1005879 SUSE bug 1025347 SUSE bug 1120592 SUSE bug 1126909 SUSE bug 982575 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. Moderate CVE-2016-8614 SUSE bug 1008038 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. Moderate CVE-2016-8615 SUSE bug 1005633 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. Low CVE-2016-8616 SUSE bug 1005634 SUSE Linux Enterprise Server 11 SP3-TERADATA The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`. Moderate CVE-2016-8617 SUSE bug 1005635 SUSE Linux Enterprise Server 11 SP3-TERADATA The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. Moderate CVE-2016-8618 SUSE bug 1005637 SUSE Linux Enterprise Server 11 SP3-TERADATA The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free. Moderate CVE-2016-8619 SUSE bug 1005638 SUSE Linux Enterprise Server 11 SP3-TERADATA The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input. Moderate CVE-2016-8620 SUSE bug 1005640 SUSE Linux Enterprise Server 11 SP3-TERADATA The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short. Moderate CVE-2016-8621 SUSE bug 1005642 SUSE Linux Enterprise Server 11 SP3-TERADATA The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. Moderate CVE-2016-8622 SUSE bug 1005643 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure. Moderate CVE-2016-8623 SUSE bug 1005645 SUSE Linux Enterprise Server 11 SP3-TERADATA curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them. Moderate CVE-2016-8624 SUSE bug 1005646 SUSE Linux Enterprise Server 11 SP3-TERADATA Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. Important CVE-2016-8628 SUSE bug 1008037 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability. Important CVE-2016-8632 SUSE bug 1008831 SUSE bug 1012852 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets. Moderate CVE-2016-8633 SUSE bug 1008833 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. Moderate CVE-2016-8635 SUSE bug 1015422 SUSE bug 1015547 SUSE Linux Enterprise Server 11 SP3-TERADATA A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change. Moderate CVE-2016-8641 SUSE bug 1011630 SUSE bug 1018047 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The hash_accept function in crypto/algif_hash.c in the Linux kernel before 4.3.6 allows local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data. Moderate CVE-2016-8646 SUSE bug 1010150 SUSE Linux Enterprise Server 11 SP3-TERADATA An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed. Low CVE-2016-8647 SUSE bug 1008038 SUSE bug 1010940 SUSE Linux Enterprise Server 11 SP3-TERADATA A heap-buffer overflow vulnerability was found in QMFB code in JPC codec caused by buffer being allocated with too small size. jasper versions before 2.0.0 are affected. Important CVE-2016-8654 SUSE bug 1012530 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value. Moderate CVE-2016-8667 SUSE bug 1004702 SUSE bug 1005004 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base. Moderate CVE-2016-8669 SUSE bug 1004707 SUSE bug 1005005 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted imagecreatefromstring call. Moderate CVE-2016-8670 SUSE bug 1004924 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadSCTImage function in coders/sct.c in GraphicsMagick 1.3.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted SCT header. Important CVE-2016-8682 SUSE bug 1005125 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadPCXImage function in coders/pcx.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a "file truncation error for corrupt file." Important CVE-2016-8683 SUSE bug 1005127 SUSE Linux Enterprise Server 11 SP3-TERADATA The MagickMalloc function in magick/memory.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a "file truncation error for corrupt file." Moderate CVE-2016-8684 SUSE bug 1005123 SUSE Linux Enterprise Server 11 SP3-TERADATA The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted BMP image in an imginfo command. Moderate CVE-2016-8690 SUSE bug 1005084 SUSE bug 1007009 SUSE Linux Enterprise Server 11 SP3-TERADATA The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted XRsiz value in a BMP image to the imginfo command. Moderate CVE-2016-8691 SUSE bug 1005090 SUSE Linux Enterprise Server 11 SP3-TERADATA The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted YRsiz value in a BMP image to the imginfo command. Moderate CVE-2016-8692 SUSE bug 1005090 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command. Important CVE-2016-8693 SUSE bug 1005242 SUSE Linux Enterprise Server 11 SP3-TERADATA An exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks's convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality. Moderate CVE-2016-8707 SUSE bug 1014159 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types. Important CVE-2016-8735 SUSE bug 1011805 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. Moderate CVE-2016-8743 SUSE bug 1016715 SUSE bug 1033513 SUSE bug 1086774 SUSE bug 1104826 SUSE bug 930944 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. Important CVE-2016-8745 SUSE bug 1015119 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ** DISPUTED ** The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue." Moderate CVE-2016-8858 SUSE bug 1005480 SUSE bug 1025354 SUSE bug 1039572 SUSE bug 1087412 SUSE Linux Enterprise Server 11 SP3-TERADATA The AcquireMagickMemory function in MagickCore/memory.c in ImageMagick before 7.0.3.3 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. Moderate CVE-2016-8862 SUSE bug 1007245 SUSE bug 1009318 SUSE bug 1031267 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. Important CVE-2016-8864 SUSE bug 1007829 SUSE bug 1018700 SUSE bug 1018701 SUSE bug 1018702 SUSE bug 1020526 SUSE bug 1024130 SUSE bug 1033466 SUSE Linux Enterprise Server 11 SP3-TERADATA The AcquireMagickMemory function in MagickCore/memory.c in ImageMagick 7.0.3.3 before 7.0.3.8 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8862. Moderate CVE-2016-8866 SUSE bug 1007245 SUSE bug 1009318 SUSE bug 1031267 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-4516. Reason: This candidate is a duplicate of CVE-2011-4516. Notes: All CVE users should reference CVE-2011-4516 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2016-8880 SUSE bug 1006591 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-4517. Reason: This candidate is a duplicate of CVE-2011-4517. Notes: All CVE users should reference CVE-2011-4517 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Important CVE-2016-8881 SUSE bug 1006593 SUSE Linux Enterprise Server 11 SP3-TERADATA The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. Important CVE-2016-8882 SUSE bug 1006597 SUSE Linux Enterprise Server 11 SP3-TERADATA The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. Low CVE-2016-8883 SUSE bug 1006598 SUSE Linux Enterprise Server 11 SP3-TERADATA The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8690. Moderate CVE-2016-8884 SUSE bug 1005084 SUSE bug 1007009 SUSE Linux Enterprise Server 11 SP3-TERADATA The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.9 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. Moderate CVE-2016-8885 SUSE bug 1005084 SUSE bug 1007009 SUSE Linux Enterprise Server 11 SP3-TERADATA The jas_malloc function in libjasper/base/jas_malloc.c in JasPer before 1.900.11 allows remote attackers to have unspecified impact via a crafted file, which triggers a memory allocation failure. Low CVE-2016-8886 SUSE bug 1006599 SUSE Linux Enterprise Server 11 SP3-TERADATA The jp2_colr_destroy function in libjasper/jp2/jp2_cod.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (NULL pointer dereference). Low CVE-2016-8887 SUSE bug 1006836 SUSE bug 1006839 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position. Moderate CVE-2016-8909 SUSE bug 1006536 SUSE bug 1007160 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count. Moderate CVE-2016-8910 SUSE bug 1006538 SUSE bug 1007157 SUSE bug 1024178 SUSE Linux Enterprise Server 11 SP3-TERADATA An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. Moderate CVE-2016-9042 SUSE bug 1030050 SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50. Low CVE-2016-9063 SUSE bug 1009026 SUSE bug 1010424 SUSE bug 1047240 SUSE bug 1123115 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50. Moderate CVE-2016-9064 SUSE bug 1009026 SUSE bug 1010402 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. Moderate CVE-2016-9066 SUSE bug 1009026 SUSE bug 1010404 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. Moderate CVE-2016-9074 SUSE bug 1009026 SUSE bug 1010422 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1. Important CVE-2016-9079 SUSE bug 1012964 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the write_png function in cairo 1.14.6 allows remote attackers to cause a denial of service (invalid pointer dereference) via a large svg file. Moderate CVE-2016-9082 SUSE bug 1007255 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device. Moderate CVE-2016-9101 SUSE bug 1007391 SUSE bug 1013668 SUSE bug 1024181 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number. Moderate CVE-2016-9102 SUSE bug 1007450 SUSE bug 1014256 SUSE Linux Enterprise Server 11 SP3-TERADATA The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them. Moderate CVE-2016-9103 SUSE bug 1007454 SUSE bug 1014259 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access. Moderate CVE-2016-9104 SUSE bug 1007493 SUSE bug 1014297 SUSE bug 1034990 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object. Moderate CVE-2016-9105 SUSE bug 1007494 SUSE bug 1014279 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector. Moderate CVE-2016-9106 SUSE bug 1007495 SUSE bug 1014299 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed response to an RTYPE ANY query. Important CVE-2016-9131 SUSE bug 1018699 SUSE bug 1018700 SUSE bug 1018701 SUSE bug 1018702 SUSE bug 1033466 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 named in ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a response containing an inconsistency among the DNSSEC-related RRsets. Important CVE-2016-9147 SUSE bug 1018699 SUSE bug 1018700 SUSE bug 1018701 SUSE bug 1018702 SUSE bug 1033466 SUSE bug 1081545 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple integer overflows in the (1) jas_realloc function in base/jas_malloc.c and (2) mem_resize function in base/jas_stream.c in JasPer before 1.900.22 allow remote attackers to cause a denial of service via a crafted image, which triggers use after free vulnerabilities. Moderate CVE-2016-9262 SUSE bug 1009994 SUSE Linux Enterprise Server 11 SP3-TERADATA tiffsplit in libtiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file, related to changing td_nstrips in TIFF_STRIPCHOP mode. Moderate CVE-2016-9273 SUSE bug 1010163 SUSE bug 1017693 SUSE bug 1150480 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet. Moderate CVE-2016-9310 SUSE bug 1011377 SUSE bug 1011421 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted packet. Moderate CVE-2016-9311 SUSE bug 1011377 SUSE bug 1011421 SUSE Linux Enterprise Server 11 SP3-TERADATA The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an oversized image. Important CVE-2016-9317 SUSE bug 1022283 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. Moderate CVE-2016-9318 SUSE bug 1010675 SUSE bug 1013930 SUSE bug 1014873 SUSE bug 1019074 SUSE bug 1118959 SUSE bug 1123919 SUSE bug 1126613 SUSE bug 1148896 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DCERPC dissector could crash with a use-after-free, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dcerpc-nt.c and epan/dissectors/packet-dcerpc-spoolss.c by using the wmem file scope for private strings. Moderate CVE-2016-9373 SUSE bug 1010754 SUSE bug 1010911 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the AllJoyn dissector could crash with a buffer over-read, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-alljoyn.c by ensuring that a length variable properly tracked the state of a signature variable. Moderate CVE-2016-9374 SUSE bug 1010752 SUSE bug 1010911 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DTN dissector could go into an infinite loop, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dtn.c by checking whether SDNV evaluation was successful. Moderate CVE-2016-9375 SUSE bug 1010740 SUSE bug 1010911 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the OpenFlow dissector could crash with memory exhaustion, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-openflow_v5.c by ensuring that certain length values were sufficiently large. Moderate CVE-2016-9376 SUSE bug 1010735 SUSE bug 1010911 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file. Important CVE-2016-9379 SUSE bug 1009111 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file. Important CVE-2016-9380 SUSE bug 1009111 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability. Important CVE-2016-9381 SUSE bug 1009109 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privileges or cause a denial of service (guest OS crash) by leveraging a guest operating system that uses hardware task switching and allows a new task to start in VM86 mode. Important CVE-2016-9382 SUSE bug 1009103 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service (host crash), or execute arbitrary code on the host by leveraging broken emulation of bit test instructions. Important CVE-2016-9383 SUSE bug 1009107 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving "unexpected" base/limit values. Important CVE-2016-9386 SUSE bug 1009100 SUSE Linux Enterprise Server 11 SP3-TERADATA The ras_getcmap function in ras_dec.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. Moderate CVE-2016-9388 SUSE bug 1010975 SUSE Linux Enterprise Server 11 SP3-TERADATA The jpc_irct and jpc_iict functions in jpc_mct.c in JasPer before 1.900.14 allow remote attackers to cause a denial of service (assertion failure). Moderate CVE-2016-9389 SUSE bug 1010968 SUSE Linux Enterprise Server 11 SP3-TERADATA The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. Moderate CVE-2016-9390 SUSE bug 1010774 SUSE Linux Enterprise Server 11 SP3-TERADATA The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a very large integer. Moderate CVE-2016-9391 SUSE bug 1010782 SUSE Linux Enterprise Server 11 SP3-TERADATA The calcstepsizes function in jpc_dec.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. Moderate CVE-2016-9392 SUSE bug 1010757 SUSE Linux Enterprise Server 11 SP3-TERADATA The jpc_pi_nextrpcl function in jpc_t2cod.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. Moderate CVE-2016-9393 SUSE bug 1010757 SUSE bug 1010766 SUSE Linux Enterprise Server 11 SP3-TERADATA The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. Moderate CVE-2016-9394 SUSE bug 1010756 SUSE bug 1010757 SUSE Linux Enterprise Server 11 SP3-TERADATA The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.25 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. Moderate CVE-2016-9395 SUSE bug 1010977 SUSE Linux Enterprise Server 11 SP3-TERADATA The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors. Moderate CVE-2016-9398 SUSE bug 1010979 SUSE Linux Enterprise Server 11 SP3-TERADATA popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address. Moderate CVE-2016-9401 SUSE bug 1010845 SUSE bug 1123788 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. The feed_table_tag function in w3m doesn't properly validate the value of table span, which allows remote attackers to cause a denial of service (stack and/or heap buffer overflow) and possibly execute arbitrary code via a crafted HTML page. Moderate CVE-2016-9422 SUSE bug 1011269 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. Heap-based buffer overflow in w3m allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTML page. Moderate CVE-2016-9423 SUSE bug 1011270 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m doesn't properly validate the value of tag attribute, which allows remote attackers to cause a denial of service (heap buffer overflow crash) and possibly execute arbitrary code via a crafted HTML page. Moderate CVE-2016-9424 SUSE bug 1011271 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. Heap-based buffer overflow in the addMultirowsForm function in w3m allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTML page. Moderate CVE-2016-9425 SUSE bug 1011272 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9434 SUSE bug 1011283 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA The HTMLtagproc1 function in file.c in w3m before 0.5.3+git20161009 does not properly initialize values, which allows remote attackers to crash the application via a crafted html file, related to <dd> tags. Moderate CVE-2016-9435 SUSE bug 1011284 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA parsetagx.c in w3m before 0.5.3+git20161009 does not properly initialize values, which allows remote attackers to crash the application via a crafted html file, related to a <i> tag. Moderate CVE-2016-9436 SUSE bug 1011285 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) and possibly memory corruption via a crafted HTML page. Moderate CVE-2016-9437 SUSE bug 1011286 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9438 SUSE bug 1011287 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. Infinite recursion vulnerability in w3m allows remote attackers to cause a denial of service via a crafted HTML page. Moderate CVE-2016-9439 SUSE bug 1011288 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9440 SUSE bug 1011289 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9441 SUSE bug 1011290 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m allows remote attackers to cause memory corruption in certain conditions via a crafted HTML page. Moderate CVE-2016-9442 SUSE bug 1011291 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9443 SUSE bug 1011292 SUSE bug 1011293 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer. Important CVE-2016-9444 SUSE bug 1018699 SUSE bug 1018700 SUSE bug 1018701 SUSE bug 1018702 SUSE bug 1033466 SUSE Linux Enterprise Server 11 SP3-TERADATA The t2p_readwrite_pdf_image_tile function in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one. Important CVE-2016-9453 SUSE bug 1007280 SUSE bug 1011107 SUSE Linux Enterprise Server 11 SP3-TERADATA tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow." Important CVE-2016-9535 SUSE bug 1011846 SUSE bug 1013308 SUSE Linux Enterprise Server 11 SP3-TERADATA tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka "t2p_process_jpeg_strip heap-buffer-overflow." Important CVE-2016-9536 SUSE bug 1011845 SUSE Linux Enterprise Server 11 SP3-TERADATA tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." Important CVE-2016-9540 SUSE bug 1011839 SUSE bug 1013308 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data. Moderate CVE-2016-9555 SUSE bug 1011685 SUSE bug 1012183 SUSE Linux Enterprise Server 11 SP3-TERADATA The IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3-8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file. Moderate CVE-2016-9556 SUSE bug 1011130 SUSE bug 1013376 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/tiff.c in ImageMagick before 7.0.3.7 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted image. Moderate CVE-2016-9559 SUSE bug 1011136 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_tsfb.c in JasPer before 1.900.30 allows remote attackers to have unspecified impact via a crafted image. Important CVE-2016-9560 SUSE bug 1011830 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA. Important CVE-2016-9574 SUSE bug 1015499 SUSE bug 1035082 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device. Important CVE-2016-9576 SUSE bug 1013604 SUSE bug 1014271 SUSE bug 1017710 SUSE bug 1019079 SUSE bug 1019668 SUSE Linux Enterprise Server 11 SP3-TERADATA An out-of-bounds heap read vulnerability was found in the jpc_pi_nextpcrl() function of jasper before 2.0.6 when processing crafted input. Moderate CVE-2016-9583 SUSE bug 1015400 SUSE Linux Enterprise Server 11 SP3-TERADATA libical allows remote attackers to cause a denial of service (use-after-free) and possibly read heap memory via a crafted ics file. Moderate CVE-2016-9584 SUSE bug 1015964 SUSE Linux Enterprise Server 11 SP3-TERADATA curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks. Moderate CVE-2016-9586 SUSE bug 1015332 SUSE Linux Enterprise Server 11 SP3-TERADATA Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Moderate CVE-2016-9587 SUSE bug 1019021 SUSE Linux Enterprise Server 11 SP3-TERADATA JasPer before version 2.0.12 is vulnerable to a use-after-free in the way it decodes certain JPEG 2000 image files resulting in a crash on the application using JasPer. Important CVE-2016-9591 SUSE bug 1015993 SUSE Linux Enterprise Server 11 SP3-TERADATA JasPer before version 2.0.10 is vulnerable to a null pointer dereference was found in the decoded creation of JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. Moderate CVE-2016-9600 SUSE bug 1018088 SUSE Linux Enterprise Server 11 SP3-TERADATA ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript. Moderate CVE-2016-9601 SUSE bug 1018128 SUSE bug 1036453 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. Important CVE-2016-9602 SUSE bug 1020427 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process. Moderate CVE-2016-9603 SUSE bug 1028655 SUSE bug 1028656 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-9429. Reason: This candidate is a reservation duplicate of CVE-2016-9429. Notes: All CVE users should reference CVE-2016-9429 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2016-9621 SUSE bug 1011278 SUSE bug 1011293 SUSE bug 1012020 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9622 SUSE bug 1011293 SUSE bug 1012021 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9623 SUSE bug 1011293 SUSE bug 1012022 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9624 SUSE bug 1011293 SUSE bug 1012023 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. Infinite recursion vulnerability in w3m allows remote attackers to cause a denial of service via a crafted HTML page. Moderate CVE-2016-9625 SUSE bug 1011293 SUSE bug 1012024 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. Infinite recursion vulnerability in w3m allows remote attackers to cause a denial of service via a crafted HTML page. Moderate CVE-2016-9626 SUSE bug 1011293 SUSE bug 1012025 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (heap buffer overflow and crash) via a crafted HTML page. Moderate CVE-2016-9627 SUSE bug 1011293 SUSE bug 1012026 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9628 SUSE bug 1011293 SUSE bug 1012027 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9629 SUSE bug 1011293 SUSE bug 1012028 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (global buffer overflow and crash) via a crafted HTML page. Moderate CVE-2016-9630 SUSE bug 1011293 SUSE bug 1012029 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page. Moderate CVE-2016-9631 SUSE bug 1011293 SUSE bug 1012030 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (global buffer overflow and crash) via a crafted HTML page. Moderate CVE-2016-9632 SUSE bug 1011293 SUSE bug 1012031 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (infinite loop and resource consumption) via a crafted HTML page. Moderate CVE-2016-9633 SUSE bug 1011293 SUSE bug 1012032 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via the start_line parameter. Important CVE-2016-9634 SUSE bug 1012102 SUSE bug 1012103 SUSE bug 1012104 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a 'skip count' that goes beyond initialized buffer. Critical CVE-2016-9635 SUSE bug 1012102 SUSE bug 1012103 SUSE bug 1012104 SUSE bug 1013653 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a 'write count' that goes beyond the initialized buffer. Critical CVE-2016-9636 SUSE bug 1012102 SUSE bug 1012103 SUSE bug 1012104 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access. Important CVE-2016-9637 SUSE bug 1011652 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations. Moderate CVE-2016-9685 SUSE bug 1012832 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. Moderate CVE-2016-9756 SUSE bug 1013038 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3.8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9556. Moderate CVE-2016-9773 SUSE bug 1011130 SUSE bug 1013376 SUSE bug 1017421 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS. Moderate CVE-2016-9776 SUSE bug 1013285 SUSE bug 1013657 SUSE bug 1024182 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option. Moderate CVE-2016-9793 SUSE bug 1013531 SUSE bug 1013542 SUSE bug 1025354 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command. Important CVE-2016-9794 SUSE bug 1013533 SUSE bug 1013543 SUSE bug 1013604 SUSE Linux Enterprise Server 11 SP3-TERADATA The flx_decode_chunks function in gst/flx/gstflxdec.c in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted FLIC file. Moderate CVE-2016-9807 SUSE bug 1013655 SUSE Linux Enterprise Server 11 SP3-TERADATA The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via a crafted series of skip and count pairs. Important CVE-2016-9808 SUSE bug 1012102 SUSE bug 1012103 SUSE bug 1012104 SUSE bug 1013653 SUSE Linux Enterprise Server 11 SP3-TERADATA The gst_decode_chain_free_internal function in the flxdex decoder in gst-plugins-good in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via an invalid file, which triggers an incorrect unref call. Moderate CVE-2016-9810 SUSE bug 1013663 SUSE Linux Enterprise Server 11 SP3-TERADATA The windows_icon_typefind function in gst-plugins-base in GStreamer before 1.10.2, when G_SLICE is set to always-malloc, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ico file. Moderate CVE-2016-9811 SUSE bug 1013669 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. Low CVE-2016-9840 SUSE bug 1003579 SUSE bug 1023215 SUSE bug 1038505 SUSE bug 1120866 SUSE bug 1123150 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. Low CVE-2016-9841 SUSE bug 1003579 SUSE bug 1038505 SUSE bug 1064070 SUSE bug 1070162 SUSE bug 1120866 SUSE bug 1123150 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. Low CVE-2016-9842 SUSE bug 1003580 SUSE bug 1023215 SUSE bug 1038505 SUSE bug 1120866 SUSE bug 1123150 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. Moderate CVE-2016-9843 SUSE bug 1003580 SUSE bug 1013882 SUSE bug 1038505 SUSE bug 1116686 SUSE bug 1120866 SUSE bug 1123150 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. Moderate CVE-2016-9844 SUSE bug 1013992 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory safety bugs were reported in Thunderbird 45.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Moderate CVE-2016-9893 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Event handlers on "marquee" elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Moderate CVE-2016-9895 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Moderate CVE-2016-9897 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Moderate CVE-2016-9898 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Moderate CVE-2016-9899 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This could allow for cross-domain data leakage. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Moderate CVE-2016-9900 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" (unprivileged) page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1. Moderate CVE-2016-9901 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1. Moderate CVE-2016-9902 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6. Moderate CVE-2016-9904 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A potentially exploitable crash in "EnumerateSubDocuments" while adding or removing sub-documents. This vulnerability affects Firefox ESR < 45.6 and Thunderbird < 45.6. Moderate CVE-2016-9905 SUSE bug 1015422 SUSE bug 1015527 SUSE bug 1015528 SUSE bug 1015529 SUSE bug 1015530 SUSE bug 1015531 SUSE bug 1015533 SUSE bug 1015534 SUSE bug 1015535 SUSE bug 1015536 SUSE bug 1015537 SUSE bug 1015538 SUSE bug 1015540 SUSE bug 1015541 SUSE bug 1015542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. Moderate CVE-2016-9907 SUSE bug 1014109 SUSE bug 1014490 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. Moderate CVE-2016-9911 SUSE bug 1014111 SUSE bug 1014507 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. Moderate CVE-2016-9921 SUSE bug 1014702 SUSE bug 1015169 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving blit pitch values. Moderate CVE-2016-9922 SUSE bug 1014702 SUSE bug 1015169 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix. Moderate CVE-2016-9932 SUSE bug 1012651 SUSE bug 1016340 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value. Moderate CVE-2016-9933 SUSE bug 1015187 SUSE Linux Enterprise Server 11 SP3-TERADATA ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string. Moderate CVE-2016-9934 SUSE bug 1015188 SUSE Linux Enterprise Server 11 SP3-TERADATA The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document. Moderate CVE-2016-9935 SUSE bug 1015189 SUSE bug 1048097 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area. Important CVE-2016-9941 SUSE bug 1017711 SUSE bug 1019274 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions. Important CVE-2016-9942 SUSE bug 1017712 SUSE bug 1019274 SUSE Linux Enterprise Server 11 SP3-TERADATA A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170. Important CVE-2017-0663 SUSE bug 1044337 SUSE bug 1049467 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors. Important CVE-2017-0861 SUSE bug 1088260 SUSE bug 1088268 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-TERADATA JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check to see if the image contained at least one component resulting in a denial-of-service. Moderate CVE-2017-1000050 SUSE bug 1047958 SUSE Linux Enterprise Server 11 SP3-TERADATA When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS. Moderate CVE-2017-1000100 SUSE bug 1051644 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005. Important CVE-2017-1000112 SUSE bug 1052311 SUSE bug 1052365 SUSE bug 1052368 SUSE Linux Enterprise Server 11 SP3-TERADATA CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution) Important CVE-2017-1000158 SUSE bug 1068664 SUSE Linux Enterprise Server 11 SP3-TERADATA Command injection in evince via filename when printing to PDF. This affects versions earlier than 3.25.91. Moderate CVE-2017-1000159 SUSE bug 1070046 SUSE Linux Enterprise Server 11 SP3-TERADATA All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. Moderate CVE-2017-1000250 SUSE bug 1057342 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space. Important CVE-2017-1000251 SUSE bug 1057389 SUSE bug 1057950 SUSE bug 1070535 SUSE bug 1120758 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary. Important CVE-2017-1000253 SUSE bug 1059525 SUSE bug 1061680 SUSE bug 1075506 SUSE bug 1149729 SUSE Linux Enterprise Server 11 SP3-TERADATA libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote. Low CVE-2017-1000254 SUSE bug 1061876 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO) 'lp=none' arguments to the command line. Moderate CVE-2017-1000363 SUSE bug 1039456 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). Important CVE-2017-1000364 SUSE bug 1035920 SUSE bug 1039346 SUSE bug 1039348 SUSE bug 1042200 SUSE bug 1044985 SUSE bug 1075506 SUSE bug 1077345 SUSE bug 1149726 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23. Moderate CVE-2017-1000365 SUSE bug 1037551 SUSE bug 1039346 SUSE bug 1039349 SUSE bug 1039354 SUSE bug 1046527 SUSE bug 1054557 SUSE bug 1077345 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. Important CVE-2017-1000366 SUSE bug 0 SUSE bug 1037551 SUSE bug 1039357 SUSE bug 1071319 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1. Moderate CVE-2017-1000376 SUSE bug 1045091 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. Moderate CVE-2017-1000380 SUSE bug 1044125 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic. Moderate CVE-2017-1000407 SUSE bug 1071021 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-1 and older version are vulnerable to null pointer dereference in the MagickCore component and might lead to denial of service Moderate CVE-2017-1000445 SUSE bug 1074425 SUSE Linux Enterprise Server 11 SP3-TERADATA freedesktop.org libpoppler 0.60.1 fails to validate boundaries in TextPool::addWord, leading to overflow in subsequent calculations. Important CVE-2017-1000456 SUSE bug 1074453 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user. Moderate CVE-2017-1000469 SUSE bug 1074594 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. Moderate CVE-2017-1000476 SUSE bug 1074610 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10053 SUSE bug 1049305 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). Important CVE-2017-10067 SUSE bug 1049306 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10074 SUSE bug 1049307 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). Moderate CVE-2017-10081 SUSE bug 1049309 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10087 SUSE bug 1049311 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10089 SUSE bug 1049312 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10090 SUSE bug 1049313 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10096 SUSE bug 1049314 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10101 SUSE bug 1049315 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). Critical CVE-2017-10102 SUSE bug 1049316 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). Moderate CVE-2017-10105 SUSE bug 1049317 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10107 SUSE bug 1049318 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10108 SUSE bug 1049319 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10109 SUSE bug 1049320 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10110 SUSE bug 1049321 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10111 SUSE bug 1049322 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Important CVE-2017-10115 SUSE bug 1049324 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10116 SUSE bug 1049325 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 7u141 and 8u131. Difficult to exploit vulnerability allows physical access to compromise Java SE. While the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: Applies to deployment of Java where the Java Auto Update is enabled. CVSS 3.0 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). Important CVE-2017-10125 SUSE bug 1049327 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L). Moderate CVE-2017-10243 SUSE bug 1049332 SUSE bug 1049333 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N). Moderate CVE-2017-10268 SUSE bug 1064101 SUSE bug 1064119 SUSE bug 1076505 SUSE bug 1076506 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10281 SUSE bug 1064072 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10285 SUSE bug 1064073 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Javadoc). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Moderate CVE-2017-10293 SUSE bug 1064074 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.0 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N). Moderate CVE-2017-10295 SUSE bug 1064075 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). Low CVE-2017-10345 SUSE bug 1064077 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-10346 SUSE bug 1064078 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10347 SUSE bug 1064079 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10348 SUSE bug 1064080 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10349 SUSE bug 1064081 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10350 SUSE bug 1064082 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10355 SUSE bug 1064083 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Moderate CVE-2017-10356 SUSE bug 1064084 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2017-10357 SUSE bug 1064085 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-10378 SUSE bug 1064115 SUSE bug 1064119 SUSE bug 1076505 SUSE bug 1076506 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). Moderate CVE-2017-10379 SUSE bug 1064116 SUSE bug 1064119 SUSE bug 1076506 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.57 and earlier 5.6.37 and earlier 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-10384 SUSE bug 1064117 SUSE bug 1064119 SUSE bug 1076506 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). Moderate CVE-2017-10388 SUSE bug 1064086 SUSE bug 1070162 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing. Important CVE-2017-10661 SUSE bug 1053152 SUSE bug 1053153 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. Moderate CVE-2017-10664 SUSE bug 1046636 SUSE bug 1046637 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free in the XML-LibXML module through 2.0129 for Perl allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call. Important CVE-2017-10672 SUSE bug 1046848 SUSE bug 1069732 SUSE Linux Enterprise Server 11 SP3-TERADATA In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. Moderate CVE-2017-10684 SUSE bug 1046858 SUSE bug 1115932 SUSE Linux Enterprise Server 11 SP3-TERADATA In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. Moderate CVE-2017-10685 SUSE bug 1046853 SUSE bug 1115932 SUSE Linux Enterprise Server 11 SP3-TERADATA The DBD::mysql module through 4.043 for Perl allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by triggering (1) certain error responses from a MySQL server or (2) a loss of a network connection to a MySQL server. The use-after-free defect was introduced by relying on incorrect Oracle mysql_stmt_close documentation and code examples. Moderate CVE-2017-10788 SUSE bug 1047095 SUSE Linux Enterprise Server 11 SP3-TERADATA The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152. Moderate CVE-2017-10789 SUSE bug 1047059 SUSE bug 924663 SUSE bug 928962 SUSE Linux Enterprise Server 11 SP3-TERADATA The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. Moderate CVE-2017-10790 SUSE bug 1047002 SUSE bug 1047453 SUSE Linux Enterprise Server 11 SP3-TERADATA When GraphicsMagick 1.3.25 processes a MATLAB image in coders/mat.c, it can lead to a denial of service (OOM) in ReadMATImage() if the size specified for a MAT Object is larger than the actual amount of data. Moderate CVE-2017-10800 SUSE bug 1047044 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages. Moderate CVE-2017-10806 SUSE bug 1047674 SUSE bug 1047675 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-0, a heap-based buffer over-read in the GetNextToken function in token.c allows remote attackers to obtain sensitive information from process memory or possibly have unspecified other impact via a crafted SVG document that is mishandled in the GetUserSpaceCoordinateValue function in coders/svg.c. Moderate CVE-2017-10928 SUSE bug 1047356 SUSE bug 1047359 SUSE bug 1056277 SUSE bug 1060176 SUSE bug 1096261 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. Moderate CVE-2017-10971 SUSE bug 1035283 SUSE bug 1047730 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server. Moderate CVE-2017-10972 SUSE bug 1035283 SUSE bug 1047730 SUSE Linux Enterprise Server 11 SP3-TERADATA An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows "Read / write overflow in make_secret()" and a denial of service. Important CVE-2017-10978 SUSE bug 1049086 SUSE Linux Enterprise Server 11 SP3-TERADATA An FR-GV-202 issue in FreeRADIUS 2.x before 2.2.10 allows "Write overflow in rad_coalesce()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code. Important CVE-2017-10979 SUSE bug 1049086 SUSE Linux Enterprise Server 11 SP3-TERADATA An FR-GV-204 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Memory leak in fr_dhcp_decode()" and a denial of service. Important CVE-2017-10981 SUSE bug 1049086 SUSE Linux Enterprise Server 11 SP3-TERADATA An FR-GV-205 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Buffer over-read in fr_dhcp_decode_options()" and a denial of service. Important CVE-2017-10982 SUSE bug 1049086 SUSE Linux Enterprise Server 11 SP3-TERADATA An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows "DHCP - Read overflow when decoding option 63" and a denial of service. Important CVE-2017-10983 SUSE bug 1049086 SUSE Linux Enterprise Server 11 SP3-TERADATA The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact. Moderate CVE-2017-10989 SUSE bug 1131919 SUSE bug 1132045 SUSE Linux Enterprise Server 11 SP3-TERADATA The mng_get_long function in coders/png.c in ImageMagick 7.0.6-0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted MNG image. Moderate CVE-2017-10995 SUSE bug 1047908 SUSE Linux Enterprise Server 11 SP3-TERADATA tcpdump 4.9.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via crafted packet data. The crash occurs in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol. Moderate CVE-2017-11108 SUSE bug 1047873 SUSE bug 1057247 SUSE bug 1123142 SUSE Linux Enterprise Server 11 SP3-TERADATA In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. Moderate CVE-2017-11112 SUSE bug 1046853 SUSE bug 1047964 SUSE Linux Enterprise Server 11 SP3-TERADATA In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. Moderate CVE-2017-11113 SUSE bug 1046853 SUSE bug 1047965 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadMATImage function in coders\mat.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted MAT file, related to incorrect ordering of a SetImageExtent call. Moderate CVE-2017-11141 SUSE bug 1047898 SUSE Linux Enterprise Server 11 SP3-TERADATA In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission. Moderate CVE-2017-11144 SUSE bug 1048096 SUSE Linux Enterprise Server 11 SP3-TERADATA In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit, not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist. Moderate CVE-2017-11145 SUSE bug 1048111 SUSE bug 1048112 SUSE bug 1067441 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not an independently fixable security issue relative to CVE-2017-11145. Notes: none. Moderate CVE-2017-11146 SUSE bug 1048111 SUSE bug 1048112 SUSE Linux Enterprise Server 11 SP3-TERADATA In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c. Moderate CVE-2017-11147 SUSE bug 1048094 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file. Moderate CVE-2017-11166 SUSE bug 1048110 SUSE Linux Enterprise Server 11 SP3-TERADATA Bad reference counting in the context of accept_ice_connection() in gsm-xsmp-server.c in old versions of gnome-session up until version 2.29.92 allows a local attacker to establish ICE connections to gnome-session with invalid authentication data (an invalid magic cookie). Each failed authentication attempt will leak a file descriptor in gnome-session. When the maximum number of file descriptors is exhausted in the gnome-session process, it will enter an infinite loop trying to communicate without success, consuming 100% of the CPU. The graphical session associated with the gnome-session process will stop working correctly, because communication with gnome-session is no longer possible. Moderate CVE-2017-11171 SUSE bug 1025068 SUSE bug 1048274 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. Important CVE-2017-11176 SUSE bug 1048275 SUSE Linux Enterprise Server 11 SP3-TERADATA The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted RSA signature. Moderate CVE-2017-11185 SUSE bug 1051222 SUSE bug 1107874 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadDPXImage function in coders\dpx.c in ImageMagick 7.0.6-0 has a large loop vulnerability that can cause CPU exhaustion via a crafted DPX file, related to lack of an EOF check. Moderate CVE-2017-11188 SUSE bug 1048457 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area. Moderate CVE-2017-11334 SUSE bug 1048902 SUSE bug 1048920 SUSE Linux Enterprise Server 11 SP3-TERADATA There is a heap based buffer overflow in tools/tiff2pdf.c of LibTIFF 4.0.8 via a PlanarConfig=Contig image, which causes a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack. Important CVE-2017-11335 SUSE bug 1048937 SUSE Linux Enterprise Server 11 SP3-TERADATA In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests. Moderate CVE-2017-11368 SUSE bug 1049819 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file. Important CVE-2017-11403 SUSE bug 1049072 SUSE bug 1053809 SUSE bug 1053919 SUSE bug 1054600 SUSE bug 1057000 SUSE bug 1084062 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by rejecting invalid Frame Control parameter values. Moderate CVE-2017-11406 SUSE bug 1049255 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ dissector could crash. This was addressed in epan/dissectors/packet-mq.c by validating the fragment length before a reassembly attempt. Moderate CVE-2017-11407 SUSE bug 1049255 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the AMQP dissector could crash. This was addressed in epan/dissectors/packet-amqp.c by checking for successful list dissection. Moderate CVE-2017-11408 SUSE bug 1049255 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the WBXML dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wbxml.c by adding validation of the relationships between indexes and lengths. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-7702. Moderate CVE-2017-11410 SUSE bug 1033938 SUSE bug 1049255 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the openSAFETY dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-opensafety.c by adding length validation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-9350. Important CVE-2017-11411 SUSE bug 1049255 SUSE bug 1049621 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. Moderate CVE-2017-11423 SUSE bug 1049423 SUSE bug 1083915 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string. Important CVE-2017-11434 SUSE bug 1049381 SUSE bug 1049578 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadJPEGImage function in coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted file. Moderate CVE-2017-11448 SUSE bug 1049375 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/mpc.c in ImageMagick before 7.0.6-1 does not enable seekable streams and thus cannot validate blob sizes, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an image received from stdin. Moderate CVE-2017-11449 SUSE bug 1049373 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via JPEG data that is too short. Moderate CVE-2017-11450 SUSE bug 1049374 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error. Moderate CVE-2017-11462 SUSE bug 1056995 SUSE bug 1122468 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table. Moderate CVE-2017-11473 SUSE bug 1049603 SUSE bug 1061680 SUSE bug 1087082 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadOneDJVUImage function in coders/djvu.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed DJVU image. Important CVE-2017-11478 SUSE bug 1049796 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadOneJNGImage function in coders/png.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a malformed JNG file. Moderate CVE-2017-11505 SUSE bug 1050072 SUSE bug 1050100 SUSE Linux Enterprise Server 11 SP3-TERADATA The WriteBlob function in MagickCore/blob.c in ImageMagick before 6.9.8-10 and 7.x before 7.6.0-0 allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted file. Important CVE-2017-11524 SUSE bug 1050087 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadCINImage function in coders/cin.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file. Moderate CVE-2017-11525 SUSE bug 1050098 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadOneMNGImage function in coders/png.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a crafted file. Moderate CVE-2017-11526 SUSE bug 1050072 SUSE bug 1050100 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadDPXImage function in coders/dpx.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file. Moderate CVE-2017-11527 SUSE bug 1050116 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadDIBImage function in coders/dib.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-11528 SUSE bug 1050119 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadMATImage function in coders/mat.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-11529 SUSE bug 1050120 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadEPTImage function in coders/ept.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file. Moderate CVE-2017-11530 SUSE bug 1050122 SUSE Linux Enterprise Server 11 SP3-TERADATA When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a Memory Leak in the WriteMPCImage() function in coders/mpc.c. Moderate CVE-2017-11532 SUSE bug 1050129 SUSE bug 1050623 SUSE Linux Enterprise Server 11 SP3-TERADATA When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a heap-based buffer over-read in the WriteUILImage() function in coders/uil.c. Moderate CVE-2017-11533 SUSE bug 1050132 SUSE Linux Enterprise Server 11 SP3-TERADATA When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a Memory Leak in the lite_font_map() function in coders/wmf.c. Moderate CVE-2017-11534 SUSE bug 1050135 SUSE Linux Enterprise Server 11 SP3-TERADATA When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a heap-based buffer over-read in the WritePSImage() function in coders/ps.c. Important CVE-2017-11535 SUSE bug 1050139 SUSE Linux Enterprise Server 11 SP3-TERADATA When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a Floating Point Exception (FPE) in the WritePALMImage() function in coders/palm.c, related to an incorrect bits-per-pixel calculation. Important CVE-2017-11537 SUSE bug 1050048 SUSE Linux Enterprise Server 11 SP3-TERADATA When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a Memory Leak in the ReadOnePNGImage() function in coders/png.c. Important CVE-2017-11539 SUSE bug 1050037 SUSE Linux Enterprise Server 11 SP3-TERADATA tcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c. Moderate CVE-2017-11541 SUSE bug 1050219 SUSE bug 1050222 SUSE bug 1050225 SUSE bug 1057247 SUSE bug 1123142 SUSE Linux Enterprise Server 11 SP3-TERADATA tcpdump 4.9.0 has a heap-based buffer over-read in the pimv1_print function in print-pim.c. Moderate CVE-2017-11542 SUSE bug 1050219 SUSE bug 1050222 SUSE bug 1050225 SUSE bug 1057247 SUSE bug 1123142 SUSE Linux Enterprise Server 11 SP3-TERADATA tcpdump 4.9.0 has a buffer overflow in the sliplink_print function in print-sl.c. Moderate CVE-2017-11543 SUSE bug 1050219 SUSE bug 1050222 SUSE bug 1050225 SUSE bug 1057247 SUSE bug 1123142 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allows local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message. Important CVE-2017-11600 SUSE bug 1050231 SUSE bug 1096564 SUSE Linux Enterprise Server 11 SP3-TERADATA In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. Low CVE-2017-11613 SUSE bug 1082332 SUSE bug 1106853 SUSE Linux Enterprise Server 11 SP3-TERADATA In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application for syntax validation of php.ini directives. Important CVE-2017-11628 SUSE bug 1050726 SUSE Linux Enterprise Server 11 SP3-TERADATA GraphicsMagick 1.3.26 has a NULL pointer dereference in the WritePCLImage() function in coders/pcl.c during writes of monochrome images. Important CVE-2017-11637 SUSE bug 1050669 SUSE Linux Enterprise Server 11 SP3-TERADATA GraphicsMagick 1.3.26 has a segmentation violation in the WriteMAPImage() function in coders/map.c when processing a non-colormapped image, a different vulnerability than CVE-2017-11642. Important CVE-2017-11638 SUSE bug 1050617 SUSE Linux Enterprise Server 11 SP3-TERADATA When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a heap-based buffer over-read in the WriteCIPImage() function in coders/cip.c, related to the GetPixelLuma function in MagickCore/pixel-accessor.h. Moderate CVE-2017-11639 SUSE bug 1050635 SUSE Linux Enterprise Server 11 SP3-TERADATA When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to an address access exception in the WritePTIFImage() function in coders/tiff.c. Important CVE-2017-11640 SUSE bug 1050632 SUSE Linux Enterprise Server 11 SP3-TERADATA GraphicsMagick 1.3.26 has a NULL pointer dereference in the WriteMAPImage() function in coders/map.c when processing a non-colormapped image, a different vulnerability than CVE-2017-11638. Important CVE-2017-11642 SUSE bug 1050617 SUSE Linux Enterprise Server 11 SP3-TERADATA When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a Memory Leak in the ReadMATImage() function in coders/mat.c. Moderate CVE-2017-11644 SUSE bug 1050606 SUSE Linux Enterprise Server 11 SP3-TERADATA Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation. Moderate CVE-2017-11671 SUSE bug 1050947 SUSE Linux Enterprise Server 11 SP3-TERADATA psi/ztoken.c in Artifex Ghostscript 9.21 mishandles references to the scanner state structure, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PostScript document, related to an out-of-bounds read in the igc_reloc_struct_ptr function in psi/igc.c. Important CVE-2017-11714 SUSE bug 1051184 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadMATImage function in coders/mat.c in ImageMagick through 6.9.9-3 and 7.x through 7.0.6-3 has memory leaks involving the quantum_info and clone_info data structures. Important CVE-2017-11724 SUSE bug 1051446 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadOneJNGImage function in coders/png.c in ImageMagick 6.9.9-4 and 7.0.6-4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. Important CVE-2017-11750 SUSE bug 1047910 SUSE bug 1051442 SUSE Linux Enterprise Server 11 SP3-TERADATA The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file. Important CVE-2017-11751 SUSE bug 1051412 SUSE bug 1051416 SUSE bug 1051430 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadMAGICKImage function in coders/magick.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file. Important CVE-2017-11752 SUSE bug 1051441 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. Low CVE-2017-12132 SUSE bug 1051791 SUSE bug 1089314 SUSE Linux Enterprise Server 11 SP3-TERADATA Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path. Moderate CVE-2017-12133 SUSE bug 1081556 SUSE bug 1089314 SUSE bug 980854 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants. Important CVE-2017-12135 SUSE bug 1051787 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref. Important CVE-2017-12137 SUSE bug 1051788 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadDCMImage function in coders\dcm.c in ImageMagick 7.0.6-1 has an integer signedness error leading to excessive memory consumption via a crafted DCM file. Important CVE-2017-12140 SUSE bug 1051847 SUSE bug 1052764 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce "SMB signing" when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text. Important CVE-2017-12150 SUSE bug 1058622 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An information leak flaw was found in the way SMB1 protocol was implemented by Samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker. Moderate CVE-2017-12163 SUSE bug 1058410 SUSE bug 1058624 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. Critical CVE-2017-12166 SUSE bug 1060877 SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server. Important CVE-2017-12172 SUSE bug 1062538 SUSE bug 1062722 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was missing extra length validation in ProcEstablishConnection function allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12176 SUSE bug 1063041 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was vulnerable to integer overflow in ProcDbeGetVisualInfo function allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12177 SUSE bug 1063040 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 had wrong extra length check in ProcXIChangeHierarchy function allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12178 SUSE bug 1063039 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was vulnerable to integer overflow in (S)ProcXIBarrierReleasePointer functions allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12179 SUSE bug 1063038 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was missing length validation in XFree86 VidModeExtension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12180 SUSE bug 1063037 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was missing length validation in XFree86 DGA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12181 SUSE bug 1063037 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was missing length validation in XFree86 DRI extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12182 SUSE bug 1063037 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was missing length validation in XFIXES extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12183 SUSE bug 1063035 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was missing length validation in XINERAMA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12184 SUSE bug 1063034 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was missing length validation in MIT-SCREEN-SAVER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12185 SUSE bug 1063034 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was missing length validation in X-Resource extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12186 SUSE bug 1063034 SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. Moderate CVE-2017-12187 SUSE bug 1063034 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition. Moderate CVE-2017-12190 SUSE bug 1062568 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing operations (mbox.c operations on bounce messages). If successfully exploited, the ClamAV software could allow a variable pointing to the mail body which could cause a used after being free (use-after-free) instance which may lead to a disruption of services on an affected device to include a denial of service condition. Important CVE-2017-12374 SUSE bug 1077732 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing functions (the rfc2047 function in mbox.c). An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition on an affected device. Important CVE-2017-12375 SUSE bug 1077732 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause a handle_pdfname (in pdf.c) buffer overflow when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code. Important CVE-2017-12376 SUSE bug 1077732 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms in mew packet files sent to an affected device. A successful exploit could cause a heap-based buffer over-read condition in mew.c when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code on the affected device. Important CVE-2017-12377 SUSE bug 1077732 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms of .tar (Tape Archive) files sent to an affected device. A successful exploit could cause a checksum buffer over-read condition when ClamAV scans the malicious .tar file, potentially allowing the attacker to cause a DoS condition on the affected device. Important CVE-2017-12378 SUSE bug 1077732 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms in the message parsing function on an affected system. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a messageAddArgument (in message.c) buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition or execute arbitrary code on an affected device. Important CVE-2017-12379 SUSE bug 1077732 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms in mbox.c during certain mail parsing functions of the ClamAV software. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. An exploit could trigger a NULL pointer dereference condition when ClamAV scans the malicious email, which may result in a DoS condition. Important CVE-2017-12380 SUSE bug 1077732 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-5 has memory leaks in the parse8BIMW and format8BIM functions in coders/meta.c, related to the WriteImage function in MagickCore/constitute.c. Low CVE-2017-12418 SUSE bug 1052207 SUSE Linux Enterprise Server 11 SP3-TERADATA The ProcessMSLScript function in coders/msl.c in ImageMagick before 6.9.9-5 and 7.x before 7.0.6-5 allows remote attackers to cause a denial of service (memory leak) via a crafted file, related to the WriteMSLImage function. Important CVE-2017-12427 SUSE bug 1052248 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service. Important CVE-2017-12429 SUSE bug 1052251 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadMPCImage in coders/mpc.c, which allows attackers to cause a denial of service. Important CVE-2017-12430 SUSE bug 1052251 SUSE bug 1052252 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadPCXImage in coders/pcx.c, which allows attackers to cause a denial of service. Important CVE-2017-12432 SUSE bug 1052254 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-1, a missing NULL check vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service (assertion failure) in DestroyImageInfo in image.c. Important CVE-2017-12434 SUSE bug 1052550 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadSUNImage in coders/sun.c, which allows attackers to cause a denial of service. Moderate CVE-2017-12435 SUSE bug 1052553 SUSE bug 1057508 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-2, a memory exhaustion vulnerability was found in the function ReadPSDImage in coders/psd.c, which allows attackers to cause a denial of service. Moderate CVE-2017-12563 SUSE bug 1052460 SUSE bug 1072901 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service. Moderate CVE-2017-12564 SUSE bug 1052468 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadOneJNGImage in coders/png.c, which allows attackers to cause a denial of service. Moderate CVE-2017-12565 SUSE bug 1047910 SUSE bug 1052470 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadMVGImage in coders/mvg.c, which allows attackers to cause a denial of service, related to the function ReadSVGImage in svg.c. Moderate CVE-2017-12566 SUSE bug 1052472 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-1 has a large loop vulnerability in the ReadPWPImage function in coders\pwp.c. Moderate CVE-2017-12587 SUSE bug 1052450 SUSE Linux Enterprise Server 11 SP3-TERADATA In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled execution; it may result in denial of service or possibly unspecified other impact. Moderate CVE-2017-12596 SUSE bug 1052522 SUSE Linux Enterprise Server 11 SP3-TERADATA When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. Moderate CVE-2017-12613 SUSE bug 1064982 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database files used by apr_sdbm*() functions, resulting in a possible out of bound read access. A local user with write access to the database can make a program or process using these functions crash, and cause a denial of service. Moderate CVE-2017-12618 SUSE bug 1064990 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-1 has an out-of-bounds read vulnerability in ReadOneMNGImage in coders/png.c. Moderate CVE-2017-12640 SUSE bug 1052781 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadOneJNGImage in coders\png.c. Important CVE-2017-12641 SUSE bug 1052777 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadMPCImage in coders\mpc.c. Moderate CVE-2017-12642 SUSE bug 1052771 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-1 has a memory exhaustion vulnerability in ReadOneJNGImage in coders\png.c. Important CVE-2017-12643 SUSE bug 1052768 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadDCMImage in coders\dcm.c. Moderate CVE-2017-12644 SUSE bug 1051847 SUSE bug 1052764 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadPICTImage function in coders/pict.c in ImageMagick 7.0.6-3 allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-12654 SUSE bug 1052761 SUSE bug 1074119 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePDFImage in coders/pdf.c. Moderate CVE-2017-12662 SUSE bug 1052758 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMAPImage in coders/map.c. Moderate CVE-2017-12663 SUSE bug 1052754 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePALMImage in coders/palm.c. Moderate CVE-2017-12664 SUSE bug 1052750 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePICTImage in coders/pict.c. Moderate CVE-2017-12665 SUSE bug 1052747 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadMATImage in coders\mat.c. Moderate CVE-2017-12667 SUSE bug 1052732 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePCXImage in coders/pcx.c. Moderate CVE-2017-12668 SUSE bug 1052688 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteCALSImage in coders/cals.c. Moderate CVE-2017-12669 SUSE bug 1052689 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, leading to an assertion failure in the function DestroyImage in MagickCore/image.c, which allows attackers to cause a denial of service. Important CVE-2017-12670 SUSE bug 1052731 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-3, a missing NULL assignment was found in coders/png.c, leading to an invalid free in the function RelinquishMagickMemory in MagickCore/memory.c, which allows attackers to cause a denial of service. Important CVE-2017-12671 SUSE bug 1052721 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service. Moderate CVE-2017-12672 SUSE bug 1052720 SUSE bug 1055434 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the function ReadOneMNGImage in coders/png.c, which allows attackers to cause a denial of service. Moderate CVE-2017-12673 SUSE bug 1052717 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-2, a CPU exhaustion vulnerability was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service. Important CVE-2017-12674 SUSE bug 1052711 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-3, a missing check for multidimensional data was found in coders/mat.c, leading to a memory leak in the function ReadImage in MagickCore/constitute.c, which allows attackers to cause a denial of service. Moderate CVE-2017-12675 SUSE bug 1052710 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the function ReadOneJNGImage in coders/png.c, which allows attackers to cause a denial of service. Moderate CVE-2017-12676 SUSE bug 1052708 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadOneLayer function in coders/xcf.c in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (memory consumption) via a crafted file. Moderate CVE-2017-12691 SUSE bug 1053955 SUSE bug 1058422 SUSE bug 1082363 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadVIFFImage function in coders/viff.c in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (memory consumption) via a crafted VIFF file. Moderate CVE-2017-12692 SUSE bug 1053955 SUSE bug 1082362 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadBMPImage function in coders/bmp.c in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (memory consumption) via a crafted BMP file. Moderate CVE-2017-12693 SUSE bug 1053955 SUSE bug 1082348 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree. Important CVE-2017-12762 SUSE bug 1053148 SUSE bug 1053150 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. Moderate CVE-2017-12791 SUSE bug 1053955 SUSE bug 1062462 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service. Low CVE-2017-12805 SUSE bug 1135236 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service. Low CVE-2017-12806 SUSE bug 1135232 SUSE Linux Enterprise Server 11 SP3-TERADATA CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar." Moderate CVE-2017-12836 SUSE bug 1052481 SUSE bug 1052696 SUSE bug 1052932 SUSE bug 1053364 SUSE bug 1066430 SUSE bug 1071709 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant is no longer in use. A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant. Xen 4.9, 4.8, 4.7, 4.6, and 4.5 are affected. Moderate CVE-2017-12855 SUSE bug 1052686 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-11424. Reason: This candidate is a duplicate of CVE-2017-11424. Notes: All CVE users should reference CVE-2017-11424 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Important CVE-2017-12880 SUSE bug 1054106 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150. Important CVE-2017-1289 SUSE bug 1038505 SUSE Linux Enterprise Server 11 SP3-TERADATA The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP. Moderate CVE-2017-12933 SUSE bug 1054430 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 mishandles large MNG images, leading to an invalid memory read in the SetImageColorCallBack function in magick/image.c. Moderate CVE-2017-12935 SUSE bug 1054598 SUSE bug 1054600 SUSE Linux Enterprise Server 11 SP3-TERADATA UnRAR before 5.5.7 allows remote attackers to bypass a directory-traversal protection mechanism via vectors involving a symlink to the . directory, a symlink to the .. directory, and a regular file. Moderate CVE-2017-12938 SUSE bug 1054038 SUSE Linux Enterprise Server 11 SP3-TERADATA libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the EncodeFileName::Decode call within the Archive::ReadHeader15 function. Moderate CVE-2017-12940 SUSE bug 1054038 SUSE Linux Enterprise Server 11 SP3-TERADATA libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Unpack::Unpack20 function. Moderate CVE-2017-12941 SUSE bug 1054038 SUSE Linux Enterprise Server 11 SP3-TERADATA libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack::LongLZ function. Moderate CVE-2017-12942 SUSE bug 1054038 SUSE bug 1054600 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c in ImageMagick 7.0.6-8 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file. Important CVE-2017-12983 SUSE bug 1054757 SUSE Linux Enterprise Server 11 SP3-TERADATA Several protocol parsers in tcpdump before 4.9.2 could cause a buffer overflow in util-print.c:bittok2str_internal(). Moderate CVE-2017-13011 SUSE bug 1050219 SUSE bug 1050222 SUSE bug 1050225 SUSE bug 1057247 SUSE bug 1123142 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the function WritePCXImage in coders/pcx.c, which allows attackers to cause a denial of service via a crafted file. Moderate CVE-2017-13058 SUSE bug 1055069 SUSE bug 1111072 SUSE bug 1117463 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-5, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service via a crafted file. Moderate CVE-2017-13060 SUSE bug 1055065 SUSE bug 1055434 SUSE bug 1076021 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-5, a length-validation vulnerability was found in the function ReadPSDLayersInternal in coders/psd.c, which allows attackers to cause a denial of service (ReadPSDImage memory exhaustion) via a crafted file. Moderate CVE-2017-13061 SUSE bug 1055063 SUSE bug 1072901 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the function formatIPTC in coders/meta.c, which allows attackers to cause a denial of service (WriteMETAImage memory consumption) via a crafted file. Moderate CVE-2017-13062 SUSE bug 1055053 SUSE bug 1055055 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients. Important CVE-2017-13078 SUSE bug 1056061 SUSE bug 1063479 SUSE bug 1063667 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients. Important CVE-2017-13079 SUSE bug 1056061 SUSE bug 1063479 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. Important CVE-2017-13080 SUSE bug 1056061 SUSE bug 1063479 SUSE bug 1063667 SUSE bug 1063671 SUSE bug 1066295 SUSE bug 1105108 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients. Important CVE-2017-13081 SUSE bug 1056061 SUSE bug 1063479 SUSE bug 1066295 SUSE bug 1105108 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. Important CVE-2017-13087 SUSE bug 1056061 SUSE bug 1063479 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. Important CVE-2017-13088 SUSE bug 1056061 SUSE bug 1063479 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-8, a memory leak vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (memory consumption in NewLinkedList in MagickCore/linked-list.c) via a crafted file. Moderate CVE-2017-13131 SUSE bug 1055229 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-8, the load_level function in coders/xcf.c lacks offset validation, which allows attackers to cause a denial of service (load_tile memory exhaustion) via a crafted file. Moderate CVE-2017-13133 SUSE bug 1055219 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based buffer over-read was found in the function SFWScan in coders/sfw.c, which allows attackers to cause a denial of service via a crafted file. Moderate CVE-2017-13134 SUSE bug 1055214 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGImage function in coders/png.c has an out-of-bounds read with the MNG CLIP chunk. Important CVE-2017-13139 SUSE bug 1055430 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick before 6.9.9-4 and 7.x before 7.0.6-4, a crafted file could trigger a memory leak in ReadOnePNGImage in coders/png.c. Moderate CVE-2017-13141 SUSE bug 1055456 SUSE bug 1060162 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files. Moderate CVE-2017-13142 SUSE bug 1055455 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick before 6.9.8-5 and 7.x before 7.0.5-6, there is a memory leak in the ReadMATImage function in coders/mat.c. Moderate CVE-2017-13146 SUSE bug 1055323 SUSE Linux Enterprise Server 11 SP3-TERADATA In GraphicsMagick 1.3.26, an allocation failure vulnerability was found in the function ReadMNGImage in coders/png.c when a small MNG file has a MEND chunk with a large length value. Moderate CVE-2017-13147 SUSE bug 1055374 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions: Android kernel. Android ID A-34624167. Important CVE-2017-13166 SUSE bug 1072865 SUSE bug 1085447 SUSE bug 1087082 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993. Moderate CVE-2017-13167 SUSE bug 1072876 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A elevation of privilege vulnerability in the Upstream kernel skcipher. Product: Android. Versions: Android kernel. Android ID: A-64386293. References: Upstream kernel. Moderate CVE-2017-13215 SUSE bug 1075908 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974. Moderate CVE-2017-13305 SUSE bug 1094353 SUSE bug 1105412 SUSE Linux Enterprise Server 11 SP3-TERADATA In GraphicsMagick 1.3.26, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c. Moderate CVE-2017-13648 SUSE bug 1054598 SUSE bug 1054600 SUSE bug 1055434 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missing NULL check in the ReadMATImage function in coders/mat.c, leading to a denial of service (assertion failure and application exit) in the DestroyImageInfo function in MagickCore/image.c. Moderate CVE-2017-13658 SUSE bug 1055855 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update. Low CVE-2017-13672 SUSE bug 1056334 SUSE bug 1056336 SUSE bug 1084604 SUSE Linux Enterprise Server 11 SP3-TERADATA In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because '\0' characters are incorrectly skipped in situations involving ? characters. Moderate CVE-2017-13720 SUSE bug 1054285 SUSE Linux Enterprise Server 11 SP3-TERADATA In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server. Moderate CVE-2017-13722 SUSE bug 1049692 SUSE Linux Enterprise Server 11 SP3-TERADATA In X.Org Server (aka xserver and xorg-server) before 1.19.4, a local attacker authenticated to the X server could overflow a global buffer, causing crashes of the X server or potentially other problems by injecting large or malformed XKB related atoms and accessing them via xkbcomp. Moderate CVE-2017-13723 SUSE bug 1051150 SUSE bug 1052984 SUSE Linux Enterprise Server 11 SP3-TERADATA There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack. Moderate CVE-2017-13728 SUSE bug 1056136 SUSE bug 1069530 SUSE bug 1115932 SUSE bug 1123132 SUSE Linux Enterprise Server 11 SP3-TERADATA There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack. Moderate CVE-2017-13729 SUSE bug 1056132 SUSE bug 1069530 SUSE bug 1115932 SUSE bug 1123132 SUSE Linux Enterprise Server 11 SP3-TERADATA There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack. Moderate CVE-2017-13730 SUSE bug 1056131 SUSE bug 1069530 SUSE bug 1115932 SUSE bug 1123132 SUSE Linux Enterprise Server 11 SP3-TERADATA There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack. Moderate CVE-2017-13731 SUSE bug 1056129 SUSE bug 1069530 SUSE bug 1115932 SUSE bug 1123132 SUSE Linux Enterprise Server 11 SP3-TERADATA There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack. Moderate CVE-2017-13732 SUSE bug 1056128 SUSE bug 1069530 SUSE bug 1115932 SUSE bug 1123132 SUSE Linux Enterprise Server 11 SP3-TERADATA There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack. Moderate CVE-2017-13733 SUSE bug 1056127 SUSE bug 1069530 SUSE bug 1115932 SUSE bug 1123132 SUSE Linux Enterprise Server 11 SP3-TERADATA There is a heap-based buffer overflow that causes a more than two thousand bytes out-of-bounds write in Liblouis 3.2.0, triggered in the function resolveSubtable() in compileTranslationTable.c. It will lead to denial of service or remote code execution. Moderate CVE-2017-13739 SUSE bug 1056101 SUSE Linux Enterprise Server 11 SP3-TERADATA There is a stack-based buffer overflow in Liblouis 3.2.0, triggered in the function parseChars() in compileTranslationTable.c, that will lead to denial of service or possibly unspecified other impact. Moderate CVE-2017-13740 SUSE bug 1056097 SUSE Linux Enterprise Server 11 SP3-TERADATA There is a use-after-free in the function compileBrailleIndicator() in compileTranslationTable.c in Liblouis 3.2.0 that will lead to a remote denial of service attack. Moderate CVE-2017-13741 SUSE bug 1056095 SUSE Linux Enterprise Server 11 SP3-TERADATA There is a buffer overflow in Liblouis 3.2.0, triggered in the function _lou_showString() in utils.c, that will lead to a remote denial of service attack. Moderate CVE-2017-13743 SUSE bug 1056090 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-10, there is a heap-based buffer overflow in the TracePoint() function in MagickCore/draw.c. Critical CVE-2017-13758 SUSE bug 1056277 SUSE bug 1096261 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the IrCOMM dissector has a buffer over-read and application crash. This was addressed in plugins/irda/packet-ircomm.c by adding length validation. Moderate CVE-2017-13765 SUSE bug 1056251 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O dissector could crash with an out-of-bounds write. This was addressed in plugins/profinet/packet-dcerpc-pn-io.c by adding string validation. Moderate CVE-2017-13766 SUSE bug 1056249 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-msdp.c by adding length validation. Moderate CVE-2017-13767 SUSE bug 1056248 SUSE Linux Enterprise Server 11 SP3-TERADATA Null Pointer Dereference in the IdentifyImage function in MagickCore/identify.c in ImageMagick through 7.0.6-10 allows an attacker to perform denial of service by sending a crafted image file. Important CVE-2017-13768 SUSE bug 1056434 SUSE Linux Enterprise Server 11 SP3-TERADATA The WriteTHUMBNAILImage function in coders/thumbnail.c in ImageMagick through 7.0.6-10 allows an attacker to cause a denial of service (buffer over-read) by sending a crafted JPEG file. Moderate CVE-2017-13769 SUSE bug 1056432 SUSE Linux Enterprise Server 11 SP3-TERADATA A memory allocation failure was discovered in the ReadPNMImage function in coders/pnm.c in GraphicsMagick 1.3.26. The vulnerability causes a big memory allocation, which may lead to remote denial of service in the MagickRealloc function in magick/memory.c. Moderate CVE-2017-14042 SUSE bug 1054598 SUSE bug 1054600 SUSE bug 1056550 SUSE bug 1059721 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access. Moderate CVE-2017-14051 SUSE bug 1056588 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. Moderate CVE-2017-14062 SUSE bug 1056450 SUSE bug 1087709 SUSE bug 1118435 SUSE bug 1123123 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadJNGImage and ReadOneJNGImage functions in coders/png.c in GraphicsMagick 1.3.26 do not properly manage image pointers after certain error conditions, which allows remote attackers to conduct use-after-free attacks via a crafted file, related to a ReadMNGImage out-of-order CloseBlob call. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-11403. Moderate CVE-2017-14103 SUSE bug 1057000 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. Moderate CVE-2017-14106 SUSE bug 1056982 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR. Low CVE-2017-14140 SUSE bug 1057179 SUSE Linux Enterprise Server 11 SP3-TERADATA The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file. Moderate CVE-2017-14160 SUSE bug 1059812 SUSE bug 1091072 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write. Moderate CVE-2017-14167 SUSE bug 1057585 SUSE Linux Enterprise Server 11 SP3-TERADATA In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "extent" field in the header but does not contain sufficient backing data, is provided, the loop over "length" would consume huge CPU resources, since there is no EOF check inside the loop. Low CVE-2017-14172 SUSE bug 1057730 SUSE Linux Enterprise Server 11 SP3-TERADATA In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, an integer overflow might occur for the addition operation "GetQuantumRange(depth)+1" when "depth" is large, producing a smaller value than expected. As a result, an infinite loop would occur for a crafted TXT file that claims a very large "max_value" value. Low CVE-2017-14173 SUSE bug 1057729 SUSE Linux Enterprise Server 11 SP3-TERADATA In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "length" field in the header but does not contain sufficient backing data, is provided, the loop over "length" would consume huge CPU resources, since there is no EOF check inside the loop. Low CVE-2017-14174 SUSE bug 1057723 SUSE bug 1072901 SUSE Linux Enterprise Server 11 SP3-TERADATA In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted XBM file, which claims large rows and columns fields in the header but does not contain sufficient backing data, is provided, the loop over the rows would consume huge CPU resources, since there is no EOF check inside the loop. Moderate CVE-2017-14175 SUSE bug 1056426 SUSE bug 1056429 SUSE bug 1057719 SUSE Linux Enterprise Server 11 SP3-TERADATA A heap-based buffer overflow in WritePCXImage in coders/pcx.c in ImageMagick 7.0.6-8 Q16 allows remote attackers to cause a denial of service or code execution via a crafted file. Low CVE-2017-14224 SUSE bug 1058009 SUSE Linux Enterprise Server 11 SP3-TERADATA An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values. Moderate CVE-2017-14245 SUSE bug 1059912 SUSE bug 1071777 SUSE Linux Enterprise Server 11 SP3-TERADATA An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values. Moderate CVE-2017-14246 SUSE bug 1059913 SUSE bug 1071767 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage in coders/mpc.c, leading to division by zero in GetPixelCacheTileSize in MagickCore/cache.c, allowing remote attackers to cause a denial of service via a crafted file. Low CVE-2017-14249 SUSE bug 1058082 SUSE Linux Enterprise Server 11 SP3-TERADATA Off-by-one error in the DrawImage function in magick/render.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (DrawDashPolygon heap-based buffer over-read and application crash) via a crafted file. Low CVE-2017-14314 SUSE bug 1058630 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node >= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array. Important CVE-2017-14316 SUSE bug 1056278 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A domain cleanup issue was discovered in the C xenstore daemon (aka cxenstored) in Xen through 4.9.x. When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on it (including domain creation / destruction, ballooning, device changes, etc.). Moderate CVE-2017-14317 SUSE bug 1056281 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A grant unmapping issue was discovered in Xen through 4.9.x. When removing or replacing a grant mapping, the x86 PV specific path needs to make sure page table entries remain in sync with other accounting done. Although the identity of the page frame was validated correctly, neither the presence of the mapping nor page writability were taken into account. Important CVE-2017-14319 SUSE bug 1056282 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service via a crafted file. Low CVE-2017-14326 SUSE bug 1058640 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory. Moderate CVE-2017-14340 SUSE bug 1058524 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGImage in coders/wpg.c, causing CPU exhaustion via a crafted wpg image file. Low CVE-2017-14341 SUSE bug 1058637 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-6 has a memory exhaustion vulnerability in ReadWPGImage in coders/wpg.c via a crafted wpg image file. Low CVE-2017-14342 SUSE bug 1058485 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-6 has a memory leak vulnerability in ReadXCFImage in coders/xcf.c via a crafted xcf image file. Low CVE-2017-14343 SUSE bug 1058422 SUSE bug 1082363 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA GNU Emacs before 25.3 allows remote attackers to execute arbitrary code via email with crafted "Content-Type: text/enriched" data containing an x-display XML element that specifies execution of shell commands, related to an unsafe text/enriched extension in lisp/textmodes/enriched.el, and unsafe Gnus support for enriched and richtext inline MIME objects in lisp/gnus/mm-view.el. In particular, an Emacs user can be instantly compromised by reading a crafted email message (or Usenet news article). Critical CVE-2017-14482 SUSE bug 1058425 SUSE Linux Enterprise Server 11 SP3-TERADATA The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation. Moderate CVE-2017-14489 SUSE bug 1059051 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response. Moderate CVE-2017-14491 SUSE bug 1060354 SUSE bug 1060360 SUSE bug 1060361 SUSE bug 1060362 SUSE bug 1060364 SUSE bug 1063832 SUSE bug 1143944 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request. Moderate CVE-2017-14492 SUSE bug 1060355 SUSE bug 1060360 SUSE bug 1060361 SUSE bug 1060362 SUSE bug 1060364 SUSE bug 1063832 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request. Moderate CVE-2017-14493 SUSE bug 1060360 SUSE bug 1060361 SUSE bug 1060362 SUSE bug 1060364 SUSE bug 1063832 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests. Moderate CVE-2017-14494 SUSE bug 1060360 SUSE bug 1060361 SUSE bug 1060362 SUSE bug 1060364 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation. Important CVE-2017-14495 SUSE bug 1060360 SUSE bug 1060361 SUSE bug 1060362 SUSE bug 1060364 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request. Important CVE-2017-14496 SUSE bug 1060360 SUSE bug 1060361 SUSE bug 1060362 SUSE bug 1060364 SUSE Linux Enterprise Server 11 SP3-TERADATA DrawGetStrokeDashArray in wand/drawing-wand.c in ImageMagick 7.0.7-1 mishandles certain NULL arrays, which allows attackers to perform Denial of Service (NULL pointer dereference and application crash in AcquireQuantumMemory within MagickCore/memory.c) by providing a crafted Image File as input. Moderate CVE-2017-14505 SUSE bug 1059735 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in coders/sun.c. Moderate CVE-2017-14531 SUSE bug 1057508 SUSE bug 1059666 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.6-6 has a memory leak in ReadMATImage in coders/mat.c. Moderate CVE-2017-14533 SUSE bug 1059751 SUSE Linux Enterprise Server 11 SP3-TERADATA GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field. Moderate CVE-2017-14604 SUSE bug 1060031 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related to ReadTIFFImage has been reported in coders/tiff.c. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. Moderate CVE-2017-14607 SUSE bug 1059778 SUSE Linux Enterprise Server 11 SP3-TERADATA Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184. Important CVE-2017-14632 SUSE bug 1059809 SUSE Linux Enterprise Server 11 SP3-TERADATA In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). Moderate CVE-2017-14633 SUSE bug 1059811 SUSE bug 1081833 SUSE Linux Enterprise Server 11 SP3-TERADATA In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file. Moderate CVE-2017-14634 SUSE bug 1059911 SUSE Linux Enterprise Server 11 SP3-TERADATA ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does not properly validate JNG data, leading to a denial of service (assertion failure in magick/pixel_cache.c, and application crash). Moderate CVE-2017-14649 SUSE bug 1060162 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791. Moderate CVE-2017-14695 SUSE bug 1053955 SUSE bug 1062462 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request. Moderate CVE-2017-14696 SUSE bug 1053955 SUSE bug 1062464 SUSE Linux Enterprise Server 11 SP3-TERADATA ReadRLEImage in coders/rle.c in GraphicsMagick 1.3.26 mishandles RLE headers that specify too few colors, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. Moderate CVE-2017-14733 SUSE bug 1060577 SUSE Linux Enterprise Server 11 SP3-TERADATA A race condition in the postgresql init script could be used by attackers able to access the postgresql account to escalate their privileges to root. Important CVE-2017-14798 SUSE bug 1062722 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue. Moderate CVE-2017-14952 SUSE bug 1067203 SUSE bug 1123121 SUSE Linux Enterprise Server 11 SP3-TERADATA The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler 0.59.0 has a NULL pointer dereference vulnerability due to lack of validation of a table pointer, which allows an attacker to launch a denial of service attack. Moderate CVE-2017-14977 SUSE bug 1061265 SUSE Linux Enterprise Server 11 SP3-TERADATA GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (excessive memory allocation) because of an integer underflow in ReadPICTImage in coders/pict.c. Low CVE-2017-14997 SUSE bug 1112399 SUSE bug 1117463 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in ReadEnhMetaFile in coders/emf.c. Low CVE-2017-15016 SUSE bug 1082291 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in ReadOneMNGImage in coders/png.c. Low CVE-2017-15017 SUSE bug 1082283 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick version 7.0.7-2 contains a memory leak in ReadYUVImage in coders/yuv.c. Moderate CVE-2017-15033 SUSE bug 1061873 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes. Low CVE-2017-15038 SUSE bug 1062069 SUSE Linux Enterprise Server 11 SP3-TERADATA plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat. Important CVE-2017-15088 SUSE bug 1065274 SUSE Linux Enterprise Server 11 SP3-TERADATA Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory. Important CVE-2017-15098 SUSE bug 1067844 SUSE Linux Enterprise Server 11 SP3-TERADATA A missing patch for a stack-based buffer overflow in findTable() was found in Red Hat version of liblouis before 2.5.4. An attacker could cause a denial of service condition or potentially even arbitrary code execution. Important CVE-2017-15101 SUSE bug 1067336 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference. Moderate CVE-2017-15102 SUSE bug 1066705 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist. Moderate CVE-2017-15107 SUSE bug 1076958 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls. Moderate CVE-2017-15115 SUSE bug 1068671 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length. Important CVE-2017-15191 SUSE bug 1062645 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same encapsulation level. Important CVE-2017-15192 SUSE bug 1062645 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach. Important CVE-2017-15193 SUSE bug 1062645 SUSE bug 983671 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-2 has a memory leak in ReadOneJNGImage in coders/png.c. Moderate CVE-2017-15218 SUSE bug 1047910 SUSE bug 1062752 SUSE Linux Enterprise Server 11 SP3-TERADATA libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. Moderate CVE-2017-15232 SUSE bug 1062937 SUSE bug 1149960 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c. Moderate CVE-2017-15265 SUSE bug 1062520 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192. Moderate CVE-2017-15274 SUSE bug 1045327 SUSE bug 1062471 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Samba before 4.7.3 might allow remote attackers to obtain sensitive information by leveraging failure of the server to clear allocated heap memory. Moderate CVE-2017-15275 SUSE bug 1063008 SUSE Linux Enterprise Server 11 SP3-TERADATA ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette. Moderate CVE-2017-15277 SUSE bug 1063050 SUSE Linux Enterprise Server 11 SP3-TERADATA ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to "Conditional jump or move depends on uninitialised value(s)." Moderate CVE-2017-15281 SUSE bug 1063049 SUSE bug 1072901 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation. Moderate CVE-2017-15289 SUSE bug 1063122 SUSE bug 1063123 SUSE Linux Enterprise Server 11 SP3-TERADATA Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Important CVE-2017-15412 SUSE bug 1071691 SUSE bug 1077993 SUSE bug 1123129 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Moderate CVE-2017-15422 SUSE bug 1071691 SUSE bug 1077999 SUSE bug 1123121 SUSE Linux Enterprise Server 11 SP3-TERADATA In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF document. Moderate CVE-2017-15565 SUSE bug 1064593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to execute arbitrary code on the host OS because of a race condition that can cause a stale TLB entry. Important CVE-2017-15588 SUSE bug 1061082 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory. Moderate CVE-2017-15589 SUSE bug 1061080 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing x86 guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because MSI mapping was mishandled. Important CVE-2017-15590 SUSE bug 1061076 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishandled for translated guests. Important CVE-2017-15592 SUSE bug 1061086 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (memory leak) because reference counts are mishandled. Moderate CVE-2017-15593 SUSE bug 1061084 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest OS users to cause a denial of service (hypervisor crash) or gain privileges because IDT settings are mishandled during CPU hotplugging. Important CVE-2017-15594 SUSE bug 1061087 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking. Important CVE-2017-15595 SUSE bug 1061081 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out. Important CVE-2017-15597 SUSE bug 1061075 SUSE Linux Enterprise Server 11 SP3-TERADATA The SuSEfirewall2 package before 3.6.312-2.13.1 in SUSE Linux Enterprise (SLE) Desktop 12 SP2, Server 12 SP2, and Server for Raspberry Pi 12 SP2; before 3.6.312.333-3.10.1 in SLE Desktop 12 SP3 and Server 12 SP3; before 3.6_SVNr208-2.18.3.1 in SLE Server 11 SP4; before 3.6.312-5.9.1 in openSUSE Leap 42.2; and before 3.6.312.333-7.1 in openSUSE Leap 42.3 might allow remote attackers to bypass intended access restrictions on the portmap service by leveraging a missing source net restriction for _rpc_ services. Moderate CVE-2017-15638 SUSE bug 1064127 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. Important CVE-2017-15670 SUSE bug 1064583 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak). Moderate CVE-2017-15671 SUSE bug 1064569 SUSE bug 1135444 SUSE Linux Enterprise Server 11 SP3-TERADATA When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. Moderate CVE-2017-15698 SUSE bug 1078679 SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. Moderate CVE-2017-15710 SUSE bug 1086776 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. Moderate CVE-2017-15804 SUSE bug 1064580 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application. Important CVE-2017-15868 SUSE bug 1071470 SUSE bug 1071471 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. Moderate CVE-2017-15906 SUSE bug 1064285 SUSE bug 1065000 SUSE bug 1074115 SUSE bug 1079488 SUSE bug 1090163 SUSE bug 1099316 SUSE bug 1138392 SUSE Linux Enterprise Server 11 SP3-TERADATA In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Pointer Dereference occurs while transferring JPEG scanlines, related to a PixelPacket pointer. Moderate CVE-2017-15930 SUSE bug 1066003 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message. Moderate CVE-2017-16227 SUSE bug 1065641 SUSE Linux Enterprise Server 11 SP3-TERADATA GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag. Moderate CVE-2017-16352 SUSE bug 1066168 SUSE bug 1066170 SUSE Linux Enterprise Server 11 SP3-TERADATA GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked. Moderate CVE-2017-16353 SUSE bug 1066170 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup. Moderate CVE-2017-16525 SUSE bug 1066618 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-16527 SUSE bug 1066625 SUSE bug 1087082 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-16529 SUSE bug 1066650 SUSE bug 1087082 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor. Moderate CVE-2017-16531 SUSE bug 1066671 SUSE bug 1087082 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-16533 SUSE bug 1066674 SUSE bug 1087082 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-16534 SUSE bug 1066693 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-16535 SUSE bug 1066700 SUSE bug 1087082 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-16536 SUSE bug 1066606 SUSE bug 1087082 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-16537 SUSE bug 1066573 SUSE bug 1087082 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner). Moderate CVE-2017-16538 SUSE bug 1066569 SUSE bug 1087082 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does not properly validate colormapped images, which allows remote attackers to cause a denial of service (ImportIndexQuantumType invalid write and application crash) or possibly have unspecified other impact via a malformed WPG image. Moderate CVE-2017-16545 SUSE bug 1067184 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does not properly validate the colormap index in a WPG palette, which allows remote attackers to cause a denial of service (use of uninitialized data or invalid memory allocation) or possibly have unspecified other impact via a malformed WPG file. Moderate CVE-2017-16546 SUSE bug 1067181 SUSE Linux Enterprise Server 11 SP3-TERADATA The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon. Moderate CVE-2017-16548 SUSE bug 1066644 SUSE Linux Enterprise Server 11 SP3-TERADATA libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0. Important CVE-2017-16612 SUSE bug 1065386 SUSE Linux Enterprise Server 11 SP3-TERADATA In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145. Moderate CVE-2017-16642 SUSE bug 1048112 SUSE bug 1067441 SUSE bug 1076391 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-16644 SUSE bug 1067118 SUSE bug 1087082 SUSE bug 1091815 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-16649 SUSE bug 1067085 SUSE bug 1067115 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the loadbuf function in formisc.c in formail in procmail 3.22 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted e-mail message because of a hardcoded realloc size, a different vulnerability than CVE-2014-3618. Moderate CVE-2017-16844 SUSE bug 1068648 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic. Important CVE-2017-16879 SUSE bug 1069530 SUSE bug 1123132 SUSE Linux Enterprise Server 11 SP3-TERADATA An array index error in the fig2dev program in Xfig 3.2.6a allows remote attackers to cause a denial-of-service attack or information disclosure with a maliciously crafted Fig format file, related to a negative font value in dev/gentikz.c, and the read_textobject functions in read.c and read1_3.c. Moderate CVE-2017-16899 SUSE bug 1069257 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP. Moderate CVE-2017-16911 SUSE bug 1078674 SUSE bug 1087082 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet. Moderate CVE-2017-16912 SUSE bug 1078673 SUSE bug 1087082 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet. Moderate CVE-2017-16913 SUSE bug 1078672 SUSE bug 1087082 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet. Moderate CVE-2017-16914 SUSE bug 1078669 SUSE bug 1087082 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-TERADATA parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. Important CVE-2017-16932 SUSE bug 1069689 SUSE bug 1103099 SUSE bug 1123129 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages. Important CVE-2017-16939 SUSE bug 1069702 SUSE bug 1069708 SUSE bug 1119445 SUSE bug 1120260 SUSE Linux Enterprise Server 11 SP3-TERADATA In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists in the function wav_w64_read_fmt_chunk() in wav_w64.c, which may lead to DoS when playing a crafted audio file. Moderate CVE-2017-16942 SUSE bug 1069874 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector could crash. This was addressed in epan/dissectors/packet-netbios.c by ensuring that write operations are bounded by the beginning of a buffer. Moderate CVE-2017-17083 SUSE bug 1070727 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA dissector could crash. This was addressed in epan/dissectors/packet-iwarp-mpa.c by validating a ULPDU length. Moderate CVE-2017-17084 SUSE bug 1070727 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety dissector could crash. This was addressed in epan/dissectors/packet-cipsafety.c by validating the packet length. Moderate CVE-2017-17085 SUSE bug 1070727 SUSE Linux Enterprise Server 11 SP3-TERADATA The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions. Moderate CVE-2017-17433 SUSE bug 1071459 SUSE Linux Enterprise Server 11 SP3-TERADATA The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions. Moderate CVE-2017-17434 SUSE bug 1071460 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces. Moderate CVE-2017-17450 SUSE bug 1071695 SUSE bug 1074033 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-14245. Reason: This candidate is a duplicate of CVE-2017-14245. Notes: All CVE users should reference CVE-2017-14245 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2017-17456 SUSE bug 1059912 SUSE bug 1071777 SUSE bug 1117906 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-14246. Reason: This candidate is a duplicate of CVE-2017-14246. Notes: All CVE users should reference CVE-2017-14246 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2017-17457 SUSE bug 1059913 SUSE bug 1071767 SUSE bug 1117906 SUSE Linux Enterprise Server 11 SP3-TERADATA The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC. Moderate CVE-2017-17484 SUSE bug 1072193 SUSE bug 1123121 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick before 7.0.7-12 has a coders/png.c Magick_png_read_raw_profile heap-based buffer over-read via a crafted file, related to ReadOneMNGImage. Moderate CVE-2017-17504 SUSE bug 1072362 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device. Moderate CVE-2017-17558 SUSE bug 1072561 SUSE bug 1087082 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode. Moderate CVE-2017-17563 SUSE bug 1070159 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode. Moderate CVE-2017-17564 SUSE bug 1070160 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P. Moderate CVE-2017-17565 SUSE bug 1070163 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page. Moderate CVE-2017-17566 SUSE bug 1070158 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadXPMImage in coders/xpm.c, which allows attackers to cause a denial of service via a crafted xpm image file. Moderate CVE-2017-17680 SUSE bug 1072902 SUSE bug 1074122 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in the function ExtractPostscript in coders/wpg.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted wpg image file that triggers a ReadWPGImage call. Moderate CVE-2017-17682 SUSE bug 1072898 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h. Important CVE-2017-17741 SUSE bug 1073311 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. Important CVE-2017-17805 SUSE bug 1073792 SUSE bug 1087082 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization. Low CVE-2017-17806 SUSE bug 1073874 SUSE bug 1087082 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA OpenSLP releases in the 1.0.2 and 1.1.0 code streams have a heap-related memory corruption issue which may manifest itself as a denial-of-service or a remote code-execution vulnerability. Important CVE-2017-17833 SUSE bug 1090638 SUSE bug 1099519 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based buffer over-read in ReadOneMNGImage in coders/png.c, related to length calculation and caused by an off-by-one error. Low CVE-2017-17879 SUSE bug 1074125 SUSE bug 1074175 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service via a crafted MAT image file. Moderate CVE-2017-17881 SUSE bug 1074123 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadXPMImage in coders/xpm.c, which allows attackers to cause a denial of service via a crafted XPM image file. Moderate CVE-2017-17882 SUSE bug 1074122 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in the function WriteOnePNGImage in coders/png.c, which allows attackers to cause a denial of service via a crafted PNG image file. Moderate CVE-2017-17884 SUSE bug 1074120 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadPICTImage in coders/pict.c, which allows attackers to cause a denial of service via a crafted PICT image file. Moderate CVE-2017-17885 SUSE bug 1074119 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of service (ReadOneMNGImage large loop) via a crafted mng image file. Moderate CVE-2017-17914 SUSE bug 1074185 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c, related to MSLPopImage and ProcessMSLScript, and associated with mishandling of MSLPushImage calls. Moderate CVE-2017-17934 SUSE bug 1074170 SUSE Linux Enterprise Server 11 SP3-TERADATA The File_read_line function in epan/wslua/wslua_file.c in Wireshark through 2.2.11 does not properly strip '\n' characters, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet that triggers the attempted processing of an empty line. Moderate CVE-2017-17935 SUSE bug 1074171 SUSE Linux Enterprise Server 11 SP3-TERADATA In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c. Moderate CVE-2017-17942 SUSE bug 1074186 SUSE bug 1150480 SUSE bug 983440 SUSE Linux Enterprise Server 11 SP3-TERADATA ** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue. Important CVE-2017-17973 SUSE bug 1074318 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark before 2.2.12, the MRDISC dissector misuses a NULL pointer and crashes. This was addressed in epan/dissectors/packet-mrdisc.c by validating an IPv4 address. This vulnerability is similar to CVE-2017-9343. Moderate CVE-2017-17997 SUSE bug 1077080 SUSE Linux Enterprise Server 11 SP3-TERADATA In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. Important CVE-2017-18013 SUSE bug 1074317 SUSE bug 1082825 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action. Moderate CVE-2017-18017 SUSE bug 1074488 SUSE bug 1080255 SUSE bug 1091815 SUSE bug 971126 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-12 Q16, there are memory leaks in MontageImageCommand in MagickWand/montage.c. Moderate CVE-2017-18022 SUSE bug 1074969 SUSE bug 1074975 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file. Moderate CVE-2017-18027 SUSE bug 1076051 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-1 Q16, a memory exhaustion vulnerability was found in the function ReadTIFFImage in coders/tiff.c, which allow remote attackers to cause a denial of service via a crafted file. Low CVE-2017-18028 SUSE bug 1076182 SUSE bug 1082792 SUSE bug 1085236 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.6-10 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file. Moderate CVE-2017-18029 SUSE bug 1076021 SUSE bug 1076051 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch. Low CVE-2017-18030 SUSE bug 1076179 SUSE bug 1076180 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated. Moderate CVE-2017-18079 SUSE bug 1077922 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices. Moderate CVE-2017-18203 SUSE bug 1083242 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-TERADATA ** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications "need to be prepared to handle a wide variety of exceptions." Moderate CVE-2017-18207 SUSE bug 1083507 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The madvise_willneed function in mm/madvise.c in the Linux kernel before 4.14.4 allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping. Moderate CVE-2017-18208 SUSE bug 1083494 SUSE bug 1087082 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in GraphicsMagick 1.3.26. An allocation failure vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of service via a crafted file that triggers an attempt at a large png_pixels array allocation. Moderate CVE-2017-18219 SUSE bug 1084060 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Exempi before 2.4.3. It allows remote attackers to cause a denial of service (invalid memcpy with resultant use-after-free) or possibly have unspecified other impact via a .pdf file containing JPEG data, related to XMPFiles/source/FormatSupport/ReconcileTIFF.cpp, XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp, and XMPFiles/source/FormatSupport/TIFF_Support.hpp. Moderate CVE-2017-18234 SUSE bug 1085585 SUSE bug 1103718 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted file. Low CVE-2017-18251 SUSE bug 1087037 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file. Low CVE-2017-18252 SUSE bug 1087033 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function WriteGIFImage in coders/gif.c, which allow remote attackers to cause a denial of service via a crafted file. Low CVE-2017-18254 SUSE bug 1087027 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file. Low CVE-2017-18271 SUSE bug 1094204 SUSE Linux Enterprise Server 11 SP3-TERADATA In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates. Moderate CVE-2017-18360 SUSE bug 1123706 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187. Moderate CVE-2017-18509 SUSE bug 1145477 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. Moderate CVE-2017-18551 SUSE bug 1146163 SUSE Linux Enterprise Server 11 SP3-TERADATA Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. Important CVE-2017-2295 SUSE bug 1040151 SUSE Linux Enterprise Server 11 SP3-TERADATA An out-of-bounds read vulnerability was found in netpbm before 10.61. The expandCodeOntoStack() function has an insufficient code value check, so that a maliciously crafted file could cause the application to crash or possibly allows code execution. Low CVE-2017-2579 SUSE bug 1024287 SUSE bug 1024288 SUSE Linux Enterprise Server 11 SP3-TERADATA An out-of-bounds write vulnerability was found in netpbm before 10.61. A maliciously crafted file could cause the application to crash or possibly allow code execution. Moderate CVE-2017-2580 SUSE bug 1024287 SUSE bug 1024291 SUSE Linux Enterprise Server 11 SP3-TERADATA An out-of-bounds write vulnerability was found in netpbm before 10.61. A maliciously crafted file could cause the application to crash or possibly allow code execution. Moderate CVE-2017-2581 SUSE bug 1024287 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. Moderate CVE-2017-2615 SUSE bug 1023004 SUSE Linux Enterprise Server 11 SP3-TERADATA A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. Important CVE-2017-2616 SUSE bug 1023041 SUSE bug 1123789 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition. Important CVE-2017-2619 SUSE bug 1027147 SUSE bug 1036283 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. Moderate CVE-2017-2620 SUSE bug 1024834 SUSE bug 1024972 SUSE Linux Enterprise Server 11 SP3-TERADATA It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack. Moderate CVE-2017-2624 SUSE bug 1025029 SUSE bug 1025639 SUSE bug 1035283 SUSE Linux Enterprise Server 11 SP3-TERADATA It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions. Moderate CVE-2017-2625 SUSE bug 1025046 SUSE bug 1025068 SUSE bug 1025639 SUSE bug 1123802 SUSE bug 815650 SUSE Linux Enterprise Server 11 SP3-TERADATA It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list. Moderate CVE-2017-2626 SUSE bug 1025068 SUSE bug 1025639 SUSE bug 1048274 SUSE bug 1123800 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process. Moderate CVE-2017-2633 SUSE bug 1026612 SUSE bug 1026636 SUSE bug 1074701 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline. Important CVE-2017-2636 SUSE bug 1027565 SUSE bug 1027575 SUSE bug 1028372 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c. Important CVE-2017-2647 SUSE bug 1030593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call. Important CVE-2017-2671 SUSE bug 1027179 SUSE bug 1031003 SUSE bug 1087082 SUSE Linux Enterprise Server 11 SP3-TERADATA An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability. Important CVE-2017-2862 SUSE bug 1048289 SUSE Linux Enterprise Server 11 SP3-TERADATA An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability. Important CVE-2017-2870 SUSE bug 1048289 SUSE bug 1048544 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1. Important CVE-2017-3135 SUSE bug 1018700 SUSE bug 1018701 SUSE bug 1018702 SUSE bug 1024130 SUSE bug 1033466 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8. Moderate CVE-2017-3136 SUSE bug 1018700 SUSE bug 1018701 SUSE bug 1018702 SUSE bug 1024130 SUSE bug 1033461 SUSE bug 1033466 SUSE bug 1081545 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8. Important CVE-2017-3137 SUSE bug 1018700 SUSE bug 1018701 SUSE bug 1018702 SUSE bug 1024130 SUSE bug 1033461 SUSE bug 1033466 SUSE bug 1033467 SUSE bug 1034162 SUSE bug 1076118 SUSE bug 1081545 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9. Moderate CVE-2017-3138 SUSE bug 1018700 SUSE bug 1018701 SUSE bug 1018702 SUSE bug 1024130 SUSE bug 1033461 SUSE bug 1033466 SUSE bug 1033468 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient or accepting bogus NOTIFY packets. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2. Important CVE-2017-3142 SUSE bug 1024130 SUSE bug 1046554 SUSE bug 1046555 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2. Important CVE-2017-3143 SUSE bug 1024130 SUSE bug 1046554 SUSE bug 1046555 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability stemming from failure to properly clean up closed OMAPI connections can lead to exhaustion of the pool of socket descriptors available to the DHCP server. Affects ISC DHCP 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, 4.3.0 to 4.3.6. Older versions may also be affected but are well beyond their end-of-life (EOL). Releases prior to 4.1.0 have not been tested. Moderate CVE-2017-3144 SUSE bug 1076118 SUSE bug 1076119 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1. Important CVE-2017-3145 SUSE bug 1076118 SUSE bug 1101131 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Important CVE-2017-3167 SUSE bug 1045065 SUSE bug 1049674 SUSE bug 1052635 SUSE bug 1060041 SUSE bug 1078450 SUSE bug 1095150 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. Moderate CVE-2017-3169 SUSE bug 1045062 SUSE bug 1049674 SUSE bug 1052635 SUSE bug 1060041 SUSE bug 1078450 SUSE bug 1095150 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts). Moderate CVE-2017-3238 SUSE bug 1020868 SUSE bug 1020882 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Charsets). Supported versions that are affected are 5.5.53 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 4.4 (Availability impacts). Moderate CVE-2017-3243 SUSE bug 1020868 SUSE bug 1020891 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts). Moderate CVE-2017-3244 SUSE bug 1020868 SUSE bug 1020877 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts). Moderate CVE-2017-3258 SUSE bug 1020868 SUSE bug 1020875 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 5.6 (Confidentiality and Availability impacts). Important CVE-2017-3265 SUSE bug 1020868 SUSE bug 1020885 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS v3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). Important CVE-2017-3291 SUSE bug 1020868 SUSE bug 1020884 SUSE bug 998309 SUSE Linux Enterprise Server 11 SP3-TERADATA Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and 5.7.x before 5.7.5 and MariaDB through 5.5.54, 10.0.x through 10.0.29, 10.1.x through 10.1.21, and 10.2.x through 10.2.3. Moderate CVE-2017-3302 SUSE bug 1022428 SUSE bug 1034850 SUSE bug 1034911 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: C API). Supported versions that are affected are 5.5.55 and earlier and 5.6.35 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue allows man-in-the-middle attackers to hijack the authentication of users by leveraging incorrect ordering of security parameter verification in a client, aka, "The Riddle". Moderate CVE-2017-3305 SUSE bug 1029396 SUSE bug 1034850 SUSE bug 1037590 SUSE bug 924663 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). Moderate CVE-2017-3308 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). Moderate CVE-2017-3309 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS v3.0 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). Important CVE-2017-3312 SUSE bug 1020868 SUSE bug 1020873 SUSE bug 998309 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: MyISAM). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS v3.0 Base Score 4.7 (Confidentiality impacts). Moderate CVE-2017-3313 SUSE bug 1020868 SUSE bug 1020890 SUSE bug 1034911 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Logging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 4.0 (Availability impacts). Moderate CVE-2017-3317 SUSE bug 1020868 SUSE bug 1020894 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Error Handling). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS v3.0 Base Score 4.0 (Confidentiality impacts). Moderate CVE-2017-3318 SUSE bug 1020868 SUSE bug 1020896 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Thread Pooling). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-3329 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-3453 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-3456 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-3461 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-3462 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-3463 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). Moderate CVE-2017-3464 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). Important CVE-2017-3509 SUSE bug 1034849 SUSE bug 1038505 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-3511 SUSE bug 1034849 SUSE bug 1038505 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2017-3514 SUSE bug 1034849 SUSE bug 1038505 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via FTP to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Important CVE-2017-3533 SUSE bug 1034849 SUSE bug 1038505 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Moderate CVE-2017-3539 SUSE bug 1005522 SUSE bug 1034849 SUSE bug 1038505 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SMTP to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Important CVE-2017-3544 SUSE bug 1034849 SUSE bug 1038505 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). Moderate CVE-2017-3600 SUSE bug 1029014 SUSE bug 1034850 SUSE bug 1048715 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/C). Supported versions that are affected are 6.1.10 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. Note: The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-3635 SUSE bug 1049397 SUSE bug 1049398 SUSE bug 1049422 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Moderate CVE-2017-3636 SUSE bug 1049399 SUSE bug 1049422 SUSE bug 1054591 SUSE bug 1076506 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-3641 SUSE bug 1049404 SUSE bug 1049422 SUSE bug 1054591 SUSE bug 1076506 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Charsets). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2017-3648 SUSE bug 1049411 SUSE bug 1049422 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). Moderate CVE-2017-3651 SUSE bug 1049415 SUSE bug 1049422 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). Moderate CVE-2017-3652 SUSE bug 1049416 SUSE bug 1049422 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N). Low CVE-2017-3653 SUSE bug 1049417 SUSE bug 1049422 SUSE bug 1054591 SUSE bug 1076506 SUSE Linux Enterprise Server 11 SP3-TERADATA If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. Moderate CVE-2017-3731 SUSE bug 1021641 SUSE bug 1022085 SUSE bug 1025347 SUSE bug 1025354 SUSE bug 1064118 SUSE bug 1064119 SUSE Linux Enterprise Server 11 SP3-TERADATA While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g. Moderate CVE-2017-3735 SUSE bug 1056058 SUSE Linux Enterprise Server 11 SP3-TERADATA The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Important CVE-2017-5029 SUSE bug 1028848 SUSE bug 1028875 SUSE bug 1035905 SUSE bug 1123130 SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file. Important CVE-2017-5130 SUSE bug 1064066 SUSE bug 1064089 SUSE bug 1078806 SUSE bug 1123129 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client. Important CVE-2017-5200 SUSE bug 1011800 SUSE Linux Enterprise Server 11 SP3-TERADATA The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). Moderate CVE-2017-5202 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print(). Moderate CVE-2017-5203 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print(). Moderate CVE-2017-5204 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. Important CVE-2017-5225 SUSE bug 1019611 SUSE Linux Enterprise Server 11 SP3-TERADATA The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate. Moderate CVE-2017-5335 SUSE bug 1018832 SUSE bug 1021057 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/opencdk/pubkey.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via a crafted OpenPGP certificate. Moderate CVE-2017-5336 SUSE bug 1018832 SUSE bug 1021057 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple heap-based buffer overflows in the read_attribute function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to have unspecified impact via a crafted OpenPGP certificate. Moderate CVE-2017-5337 SUSE bug 1018832 SUSE bug 1021057 SUSE Linux Enterprise Server 11 SP3-TERADATA regex.c in GNU ed before 1.14.1 allows attackers to cause a denial of service (crash) via a malformed command, which triggers an invalid free. Low CVE-2017-5357 SUSE bug 1019807 SUSE bug 1148899 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory safety bugs were reported in Firefox 50.1 and Firefox ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Important CVE-2017-5373 SUSE bug 1021824 SUSE bug 1021991 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Important CVE-2017-5375 SUSE bug 1021814 SUSE bug 1021991 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Use-after-free while manipulating XSL in XSLT documents. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Important CVE-2017-5376 SUSE bug 1021817 SUSE bug 1021991 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object's address can be discovered through hash codes, and also allows for data leakage of an object's content using these hash codes. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Moderate CVE-2017-5378 SUSE bug 1021818 SUSE bug 1021991 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A potential use-after-free found through fuzzing during DOM manipulation of SVG content. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Moderate CVE-2017-5380 SUSE bug 1021819 SUSE bug 1021991 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Moderate CVE-2017-5383 SUSE bug 1021822 SUSE bug 1021991 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 WebExtension scripts can use the "data:" protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions. This vulnerability affects Firefox ESR < 45.7 and Firefox < 51. Moderate CVE-2017-5386 SUSE bug 1021823 SUSE bug 1021991 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Moderate CVE-2017-5390 SUSE bug 1021820 SUSE bug 1021991 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability in the Media Decoder when working with media files when some events are fired after the media elements are freed from memory. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. Moderate CVE-2017-5396 SUSE bug 1021821 SUSE bug 1021991 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory safety bugs were reported in Thunderbird 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. Important CVE-2017-5398 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. Important CVE-2017-5400 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A crash triggerable by web content in which an "ErrorResult" references unassigned memory due to a logic error. The resulting crash may be exploitable. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. Important CVE-2017-5401 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free can occur when events are fired for a "FontFace" object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. Important CVE-2017-5402 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. Important CVE-2017-5404 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. Important CVE-2017-5405 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. Important CVE-2017-5407 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. Important CVE-2017-5408 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callback parameter through the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 45.8 and Firefox < 52. Important CVE-2017-5409 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental sweeping is managed for memory cleanup. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. Important CVE-2017-5410 SUSE bug 1028391 SUSE bug 1028393 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory safety bugs were reported in Firefox 52, Firefox ESR 45.8, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5429 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs were reported in Firefox 52, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5430 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability occurs during certain text input selection resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5432 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5433 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability occurs when redirecting focus handling which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5434 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5435 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5436 SUSE bug 1035082 SUSE bug 1035204 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-10195, CVE-2016-10196, CVE-2016-10197. Reason: This candidate is a duplicate of CVE-2016-10195, CVE-2016-10196, and CVE-2016-10197. Notes: All CVE users should reference CVE-2016-10195, CVE-2016-10196, and/or CVE-2016-10197 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Important CVE-2017-5437 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability during XSLT processing due to the result handler being held by a freed handler during handling. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5438 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability during XSLT processing due to poor handling of template parameters. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5439 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability during XSLT processing due to a failure to propagate error conditions during matching while evaluating context, leading to objects being used when they no longer exist. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5440 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability when holding a selection during scroll events. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5441 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability during changes in style when manipulating DOM elements. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5442 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An out-of-bounds write vulnerability while decoding improperly formed BinHex format archives. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5443 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A buffer overflow vulnerability while parsing "application/http-index-format" format content when the header contains improperly formatted data. This allows for an out-of-bounds read of data from memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5444 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A vulnerability while parsing "application/http-index-format" format content where uninitialized values are used to create an array. This could allow the reading of uninitialized memory into the arrays affected. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5445 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An out-of-bounds read when an HTTP/2 connection to a servers sends "DATA" frames with incorrect data content. This leads to a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5446 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An out-of-bounds read during the processing of glyph widths during text layout. This results in a potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5447 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An out-of-bounds write in "ClearKeyDecryptor" while decrypting some Clearkey-encrypted media content. The "ClearKeyDecryptor" code runs within the Gecko Media Plugin (GMP) sandbox. If a second mechanism is found to escape the sandbox, this vulnerability allows for the writing of arbitrary data within memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5448 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. Moderate CVE-2017-5449 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A mechanism to spoof the addressbar through the user interaction on the addressbar and the "onblur" event. The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. Moderate CVE-2017-5451 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5454 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The internal feed reader APIs that crossed the sandbox barrier allowed for a sandbox escape and escalation of privilege if combined with another vulnerability that resulted in remote code execution inside the sandboxed process. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53. Important CVE-2017-5455 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. This vulnerability affects Firefox ESR < 52.1 and Firefox < 53. Important CVE-2017-5456 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A buffer overflow in WebGL triggerable by web content, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5459 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A use-after-free vulnerability in frame selection triggered by a combination of malicious script content and key presses by a user. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5460 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations. Critical CVE-2017-5461 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5462 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 During DOM manipulations of the accessibility tree through script, the DOM tree can become out of sync with the accessibility tree, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5464 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An out-of-bounds read while processing SVG content in "ConvolvePixel". This results in a crash and also allows for otherwise inaccessible memory being copied into SVG graphic content, which could then displayed. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5465 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the reloaded "data:text/html" page with its origin set incorrectly. This allows for a cross-site scripting (XSS) attack. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5466 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A potential memory corruption and crash when using Skia content when drawing content outside of the bounds of a clipping region. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. Moderate CVE-2017-5467 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Fixed potential buffer overflows in generated Firefox code due to CVE-2016-6354 issue in Flex. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. Important CVE-2017-5469 SUSE bug 1035082 SUSE bug 1035209 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs were reported in Firefox 53 and Firefox ESR 52.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-5470 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-5472 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-TERADATA The SNMP parser in tcpdump before 4.9.0 has a buffer overflow in print-snmp.c:asn1_parse(). Moderate CVE-2017-5483 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:sig_print(). Moderate CVE-2017-5484 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in addrtoname.c:lookup_nsap(). Moderate CVE-2017-5485 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-TERADATA The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). Moderate CVE-2017-5486 SUSE bug 1020940 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service of Quagga daemons, or even the entire host. When Quagga daemons are configured with their telnet CLI enabled, anyone who can connect to the TCP ports can trigger this vulnerability, prior to authentication. Most distributions restrict the Quagga telnet interface to local access only by default. The Quagga telnet interface 'vty' input buffer grows automatically, without bound, so long as a newline is not entered. This allows an attacker to cause the Quagga daemon to allocate unbounded memory by sending very long strings without a newline. Eventually the daemon is terminated by the system, or the system itself runs out of memory. This is fixed in Quagga 1.1.1 and Free Range Routing (FRR) Protocol Suite 2017-01-10. Moderate CVE-2017-5495 SUSE bug 1021669 SUSE Linux Enterprise Server 11 SP3-TERADATA libjasper/include/jasper/jas_math.h in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via vectors involving left shift of a negative value. Low CVE-2017-5498 SUSE bug 1020353 SUSE bug 1020451 SUSE Linux Enterprise Server 11 SP3-TERADATA Double free vulnerability in magick/profile.c in ImageMagick allows remote attackers to have unspecified impact via a crafted file. Moderate CVE-2017-5506 SUSE bug 1020436 SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in coders/mpc.c in ImageMagick before 6.9.7-4 and 7.x before 7.0.4-4 allows remote attackers to cause a denial of service (memory consumption) via vectors involving a pixel cache. Moderate CVE-2017-5507 SUSE bug 1020439 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the PushQuantumPixel function in ImageMagick before 6.9.7-3 and 7.x before 7.0.4-3 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF file. Moderate CVE-2017-5508 SUSE bug 1020441 SUSE bug 1086782 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/psd.c in ImageMagick allows remote attackers to have unspecified impact by leveraging an improper cast, which triggers a heap-based buffer overflow. Moderate CVE-2017-5511 SUSE bug 1020448 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. Moderate CVE-2017-5526 SUSE bug 1020589 SUSE bug 1059777 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097. Low CVE-2017-5551 SUSE bug 1021258 SUSE bug 995968 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. Moderate CVE-2017-5579 SUSE bug 1021741 SUSE bug 1022627 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the ASTERIX dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-asterix.c by changing a data type to avoid an integer overflow. Moderate CVE-2017-5596 SUSE bug 1021739 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the DHCPv6 dissector could go into a large loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-dhcpv6.c by changing a data type to avoid an integer overflow. Moderate CVE-2017-5597 SUSE bug 1021739 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. Important CVE-2017-5647 SUSE bug 1033448 SUSE bug 1036642 SUSE Linux Enterprise Server 11 SP3-TERADATA The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. Important CVE-2017-5664 SUSE bug 1042910 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context. Moderate CVE-2017-5669 SUSE bug 1026914 SUSE bug 1090078 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. Important CVE-2017-5715 SUSE bug 1068032 SUSE bug 1074562 SUSE bug 1074578 SUSE bug 1074701 SUSE bug 1074741 SUSE bug 1074919 SUSE bug 1075006 SUSE bug 1075007 SUSE bug 1075262 SUSE bug 1075419 SUSE bug 1076115 SUSE bug 1076372 SUSE bug 1078353 SUSE bug 1080039 SUSE bug 1087939 SUSE bug 1091815 SUSE bug 1095735 SUSE bug 1102055 SUSE bug 1102517 SUSE bug 1105108 SUSE bug 1126516 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. Important CVE-2017-5753 SUSE bug 1068032 SUSE bug 1074562 SUSE bug 1074578 SUSE bug 1074701 SUSE bug 1075006 SUSE bug 1075419 SUSE bug 1075748 SUSE bug 1080039 SUSE bug 1087084 SUSE bug 1087939 SUSE bug 1102055 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. Important CVE-2017-5754 SUSE bug 1068032 SUSE bug 1074562 SUSE bug 1074578 SUSE bug 1074701 SUSE bug 1075006 SUSE bug 1075008 SUSE bug 1087939 SUSE bug 1102055 SUSE bug 1115045 SUSE Linux Enterprise Server 11 SP3-TERADATA The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted video file. Low CVE-2017-5837 SUSE bug 1023259 SUSE bug 1024076 SUSE bug 1024079 SUSE Linux Enterprise Server 11 SP3-TERADATA The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted ASF file. Low CVE-2017-5844 SUSE bug 1023259 SUSE bug 1024079 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb. Moderate CVE-2017-5856 SUSE bug 1023053 SUSE bug 1024186 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-reader.c in Quick Emulator (Qemu), when built with the CCID Card device emulator support, allows local users to cause a denial of service (application crash) via a large Application Protocol Data Units (APDU) unit. Moderate CVE-2017-5898 SUSE bug 1023907 SUSE bug 1024307 SUSE Linux Enterprise Server 11 SP3-TERADATA vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow. Important CVE-2017-5953 SUSE bug 1024724 SUSE bug 1123143 SUSE Linux Enterprise Server 11 SP3-TERADATA ** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser." Moderate CVE-2017-5969 SUSE bug 1024989 SUSE bug 1049467 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options. Important CVE-2017-5970 SUSE bug 1024938 SUSE bug 1025013 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence. Moderate CVE-2017-5973 SUSE bug 1025109 SUSE bug 1025188 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state. Moderate CVE-2017-5986 SUSE bug 1025235 SUSE bug 1027066 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 capture file will cause an infinite loop and memory exhaustion. If the packet size field in a packet header is null, the offset to read from will not advance, causing continuous attempts to read the same zero length packet. This will quickly exhaust all system memory. Low CVE-2017-6014 SUSE bug 1025913 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call. Important CVE-2017-6074 SUSE bug 1026024 SUSE bug 1033287 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag. Moderate CVE-2017-6214 SUSE bug 1026722 SUSE bug 1027179 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations. Low CVE-2017-6312 SUSE bug 1027024 SUSE bug 1027026 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer underflow in the load_resources function in io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file. Moderate CVE-2017-6313 SUSE bug 1027024 SUSE Linux Enterprise Server 11 SP3-TERADATA The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file. Low CVE-2017-6314 SUSE bug 1027024 SUSE bug 1027025 SUSE Linux Enterprise Server 11 SP3-TERADATA saned in sane-backends 1.0.25 allows remote attackers to obtain sensitive memory information via a crafted SANE_NET_CONTROL_OPTION packet. Moderate CVE-2017-6318 SUSE bug 1027197 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices. Moderate CVE-2017-6348 SUSE bug 1027178 SUSE bug 1087082 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986. Moderate CVE-2017-6353 SUSE bug 1025235 SUSE bug 1027066 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Memory leak in the vcard_apdu_new function in card_7816.c in libcacard before 2.5.3 allows local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object. Moderate CVE-2017-6414 SUSE bug 1027514 SUSE bug 1027570 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA libclamav/message.c in ClamAV 0.99.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted e-mail message. Moderate CVE-2017-6418 SUSE bug 1052466 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. Important CVE-2017-6419 SUSE bug 1052449 SUSE bug 1083915 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The wwunpack function in libclamav/wwunpack.c in ClamAV 0.99.2 allows remote attackers to cause a denial of service (use-after-free) via a crafted PE file with WWPack compression. Important CVE-2017-6420 SUSE bug 1052448 SUSE Linux Enterprise Server 11 SP3-TERADATA The mx4200_send function in the legacy MX4200 refclock in NTP before 4.2.8p10 and 4.3.x before 4.3.94 does not properly handle the return value of the snprintf function, which allows local users to execute arbitrary code via unspecified vectors, which trigger an out-of-bounds memory write. Important CVE-2017-6451 SUSE bug 1030050 SUSE Linux Enterprise Server 11 SP3-TERADATA Multiple buffer overflows in the ctl_put* functions in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allow remote authenticated users to have unspecified impact via a long variable. Important CVE-2017-6458 SUSE bug 1030050 SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in the reslist function in ntpq in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote servers have unspecified impact via a long flagstr variable in a restriction list response. Important CVE-2017-6460 SUSE bug 1030050 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device. Moderate CVE-2017-6462 SUSE bug 1030050 SUSE Linux Enterprise Server 11 SP3-TERADATA NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option. Moderate CVE-2017-6463 SUSE bug 1030050 SUSE Linux Enterprise Server 11 SP3-TERADATA NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive. Moderate CVE-2017-6464 SUSE bug 1030050 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors, a different vulnerability than CVE-2017-9330. Moderate CVE-2017-6505 SUSE bug 1028184 SUSE bug 1028235 SUSE Linux Enterprise Server 11 SP3-TERADATA CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. Moderate CVE-2017-6508 SUSE bug 1028301 SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. Moderate CVE-2017-6512 SUSE bug 1047178 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted audio file. Moderate CVE-2017-6827 SUSE bug 1026979 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file. Moderate CVE-2017-6828 SUSE bug 1026980 SUSE Linux Enterprise Server 11 SP3-TERADATA The decodeSample function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. Moderate CVE-2017-6829 SUSE bug 1026981 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the alaw2linear_buf function in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. Low CVE-2017-6830 SUSE bug 1026982 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. Low CVE-2017-6831 SUSE bug 1026983 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the decodeBlock in MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. Low CVE-2017-6832 SUSE bug 1026984 SUSE Linux Enterprise Server 11 SP3-TERADATA The runPull function in libaudiofile/modules/BlockCodec.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted file. Low CVE-2017-6833 SUSE bug 1026985 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the ulaw2linear_buf function in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. Low CVE-2017-6834 SUSE bug 1026986 SUSE Linux Enterprise Server 11 SP3-TERADATA The reset1 function in libaudiofile/modules/BlockCodec.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted file. Low CVE-2017-6835 SUSE bug 1026988 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the Expand3To4Module::run function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. Low CVE-2017-6836 SUSE bug 1026987 SUSE Linux Enterprise Server 11 SP3-TERADATA WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via vectors related to a large number of coefficients. Moderate CVE-2017-6837 SUSE bug 1026978 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. Moderate CVE-2017-6838 SUSE bug 1026978 SUSE Linux Enterprise Server 11 SP3-TERADATA Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. Moderate CVE-2017-6839 SUSE bug 1026978 SUSE Linux Enterprise Server 11 SP3-TERADATA The jp2_cdef_destroy function in jp2_cod.c in JasPer before 2.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image. Low CVE-2017-6850 SUSE bug 1021868 SUSE Linux Enterprise Server 11 SP3-TERADATA Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility. Moderate CVE-2017-6891 SUSE bug 1040621 SUSE bug 1149679 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the "dead" type. Moderate CVE-2017-6951 SUSE bug 1029850 SUSE bug 1030593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52. Important CVE-2017-7184 SUSE bug 1030573 SUSE bug 1030575 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function. Moderate CVE-2017-7187 SUSE bug 1027179 SUSE bug 1030213 SUSE Linux Enterprise Server 11 SP3-TERADATA The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document. Low CVE-2017-7207 SUSE bug 1030263 SUSE bug 1036453 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays. Important CVE-2017-7228 SUSE bug 1030442 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device. Moderate CVE-2017-7261 SUSE bug 1027179 SUSE bug 1031052 SUSE Linux Enterprise Server 11 SP3-TERADATA PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function. Moderate CVE-2017-7272 SUSE bug 1031246 SUSE bug 1044976 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 4.x before 4.9.4 allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report. Moderate CVE-2017-7273 SUSE bug 1031240 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device. Moderate CVE-2017-7294 SUSE bug 1027179 SUSE bug 1031440 SUSE bug 1031481 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls. Important CVE-2017-7308 SUSE bug 1027179 SUSE bug 1031579 SUSE bug 1031660 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable). Moderate CVE-2017-7375 SUSE bug 1044894 SUSE bug 1049467 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects. Moderate CVE-2017-7376 SUSE bug 1044887 SUSE bug 1049467 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-TERADATA The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. Moderate CVE-2017-7407 SUSE bug 1032309 SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow flaw was found in the way minicom before version 2.7.1 handled VT100 escape sequences. A malicious terminal device could potentially use this flaw to crash minicom, or execute arbitrary code in the context of the minicom process. Important CVE-2017-7467 SUSE bug 1033783 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py. Moderate CVE-2017-7470 SUSE bug 1026633 SUSE bug 1057882 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. Important CVE-2017-7471 SUSE bug 1034866 SUSE bug 1034990 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls. Moderate CVE-2017-7472 SUSE bug 1034862 SUSE Linux Enterprise Server 11 SP3-TERADATA Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash. Moderate CVE-2017-7475 SUSE bug 1036789 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2. Important CVE-2017-7478 SUSE bug 1038709 SUSE bug 1038713 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker. Moderate CVE-2017-7479 SUSE bug 1038711 SUSE bug 1038713 SUSE Linux Enterprise Server 11 SP3-TERADATA Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. Moderate CVE-2017-7481 SUSE bug 1038785 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation. Moderate CVE-2017-7482 SUSE bug 1046107 SUSE Linux Enterprise Server 11 SP3-TERADATA It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. Moderate CVE-2017-7484 SUSE bug 1037603 SUSE bug 1051015 SUSE Linux Enterprise Server 11 SP3-TERADATA In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. Important CVE-2017-7485 SUSE bug 1038293 SUSE bug 1051015 SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server. Moderate CVE-2017-7486 SUSE bug 1037624 SUSE bug 1051015 SUSE bug 1051685 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface. Moderate CVE-2017-7487 SUSE bug 1038879 SUSE bug 1038883 SUSE bug 1038981 SUSE bug 1038982 SUSE bug 870618 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. Important CVE-2017-7493 SUSE bug 1039495 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. Important CVE-2017-7494 SUSE bug 1038231 SUSE bug 1040816 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet. Important CVE-2017-7508 SUSE bug 1044947 SUSE Linux Enterprise Server 11 SP3-TERADATA OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker. Important CVE-2017-7520 SUSE bug 1044947 SUSE Linux Enterprise Server 11 SP3-TERADATA OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension(). Important CVE-2017-7521 SUSE bug 1044947 SUSE Linux Enterprise Server 11 SP3-TERADATA libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used. Low CVE-2017-7526 SUSE bug 1046607 SUSE bug 1047462 SUSE bug 1123792 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Race condition in the fsnotify implementation in the Linux kernel through 4.12.4 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions. Important CVE-2017-7533 SUSE bug 1049483 SUSE bug 1050677 SUSE bug 1050751 SUSE bug 1053919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket. Moderate CVE-2017-7542 SUSE bug 1049882 SUSE bug 1061936 SUSE Linux Enterprise Server 11 SP3-TERADATA libexif through 0.6.21 is vulnerable to out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c caused by improper length computation of the allocated data of an ExifMnote entry which can cause denial-of-service or possibly information disclosure. Low CVE-2017-7544 SUSE bug 1059893 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password. Moderate CVE-2017-7546 SUSE bug 1051684 SUSE bug 1054365 SUSE bug 1140876 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. Moderate CVE-2017-7547 SUSE bug 1051685 SUSE bug 1054365 SUSE bug 1140876 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service. Important CVE-2017-7548 SUSE bug 1053259 SUSE bug 1054365 SUSE bug 1140876 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation. Important CVE-2017-7550 SUSE bug 1035124 SUSE bug 1065872 SUSE Linux Enterprise Server 11 SP3-TERADATA Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution. Moderate CVE-2017-7555 SUSE bug 1054171 SUSE Linux Enterprise Server 11 SP3-TERADATA In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. Important CVE-2017-7585 SUSE bug 1033054 SUSE bug 1033914 SUSE bug 1033915 SUSE Linux Enterprise Server 11 SP3-TERADATA tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. Moderate CVE-2017-7593 SUSE bug 1033129 SUSE Linux Enterprise Server 11 SP3-TERADATA The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. Moderate CVE-2017-7595 SUSE bug 1033111 SUSE bug 1033127 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Important CVE-2017-7596 SUSE bug 1033112 SUSE bug 1033113 SUSE bug 1033120 SUSE bug 1033126 SUSE Linux Enterprise Server 11 SP3-TERADATA tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Moderate CVE-2017-7597 SUSE bug 1033112 SUSE bug 1033113 SUSE bug 1033120 SUSE bug 1033126 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 has an "outside the range of representable values of type short" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Moderate CVE-2017-7599 SUSE bug 1033112 SUSE bug 1033113 SUSE bug 1033120 SUSE bug 1033126 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Moderate CVE-2017-7600 SUSE bug 1033112 SUSE bug 1033113 SUSE bug 1033120 SUSE bug 1033126 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Moderate CVE-2017-7601 SUSE bug 1033111 SUSE bug 1033127 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Moderate CVE-2017-7602 SUSE bug 1033109 SUSE Linux Enterprise Server 11 SP3-TERADATA coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. Moderate CVE-2017-7606 SUSE bug 1033091 SUSE Linux Enterprise Server 11 SP3-TERADATA The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. Moderate CVE-2017-7607 SUSE bug 1033084 SUSE Linux Enterprise Server 11 SP3-TERADATA The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. Moderate CVE-2017-7608 SUSE bug 1033085 SUSE Linux Enterprise Server 11 SP3-TERADATA The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. Moderate CVE-2017-7610 SUSE bug 1033087 SUSE Linux Enterprise Server 11 SP3-TERADATA The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. Moderate CVE-2017-7611 SUSE bug 1033088 SUSE Linux Enterprise Server 11 SP3-TERADATA The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. Moderate CVE-2017-7612 SUSE bug 1033089 SUSE Linux Enterprise Server 11 SP3-TERADATA elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file. Moderate CVE-2017-7613 SUSE bug 1033090 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. Moderate CVE-2017-7616 SUSE bug 1033336 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Moderate CVE-2017-7668 SUSE bug 1045061 SUSE bug 1049674 SUSE bug 1078450 SUSE bug 1095150 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. Moderate CVE-2017-7679 SUSE bug 1045060 SUSE bug 1049674 SUSE bug 1052635 SUSE bug 1057861 SUSE bug 1060041 SUSE bug 1078450 SUSE bug 1095150 SUSE Linux Enterprise Server 11 SP3-TERADATA In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_output_single function in src_sinc.c via a crafted audio file. Moderate CVE-2017-7697 SUSE bug 1033564 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the NetScaler file parser could go into an infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by ensuring a nonzero record size. Important CVE-2017-7700 SUSE bug 1033936 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the BGP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-bgp.c by using a different integer data type. Important CVE-2017-7701 SUSE bug 1033937 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WBXML dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wbxml.c by adding length validation. Important CVE-2017-7702 SUSE bug 1033938 SUSE bug 1049255 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the IMAP dissector could crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-imap.c by calculating a line's end correctly. Important CVE-2017-7703 SUSE bug 1033939 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5, the DOF dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-dof.c by using a different integer data type and adjusting a return value. Important CVE-2017-7704 SUSE bug 1033940 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the RPC over RDMA dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-rpcrdma.c by correctly checking for going beyond the maximum offset. Important CVE-2017-7705 SUSE bug 1033941 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions. Moderate CVE-2017-7718 SUSE bug 1034908 SUSE bug 1034994 SUSE Linux Enterprise Server 11 SP3-TERADATA In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. Moderate CVE-2017-7741 SUSE bug 1033054 SUSE bug 1033915 SUSE Linux Enterprise Server 11 SP3-TERADATA In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. Moderate CVE-2017-7742 SUSE bug 1033054 SUSE bug 1033914 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SIGCOMP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-sigcomp.c by correcting a memory-size check. Important CVE-2017-7745 SUSE bug 1033942 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SLSK dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-slsk.c by adding checks for the remaining length. Important CVE-2017-7746 SUSE bug 1033943 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the PacketBB dissector could crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-packetbb.c by restricting additions to the protocol tree. Important CVE-2017-7747 SUSE bug 1033944 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WSP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wsp.c by adding a length check. Important CVE-2017-7748 SUSE bug 1033945 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-7749 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability during video control operations when a "<track>" element holds a reference to an older window if that window has been replaced in the DOM. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-7750 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability with content viewer listeners that results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-7751 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require specific user interaction to trigger. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Moderate CVE-2017-7752 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Moderate CVE-2017-7753 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" object during WebGL operations. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Moderate CVE-2017-7754 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run. This allows privileged execution if the installer is run with elevated privileges. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-7755 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free and use-after-scope vulnerability when logging errors from headers for XML HTTP Requests (XHR). This could result in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-7756 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-7757 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Moderate CVE-2017-7758 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Mozilla Maintenance Service "helper.exe" application creates a temporary directory writable by non-privileged users. When this is combined with creation of a junction (a form of symbolic link), protected files in the target directory of the junction can be deleted by the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. Important CVE-2017-7761 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Default fonts on OS X display some Tibetan characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-7763 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Moderate CVE-2017-7764 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The "Mark of the Web" was not correctly saved on Windows when files with very long names were downloaded from the Internet. Without the Mark of the Web data, the security warning that Windows displays before running executables downloaded from the Internet is not shown. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Important CVE-2017-7765 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Mozilla Maintenance Service can be invoked by an unprivileged user to read 32 bytes of any arbitrary file on the local system by convincing the service that it is reading a status file provided by the Mozilla Windows Updater. The Mozilla Maintenance Service executes with privileged access, bypassing system protections against unprivileged users. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. Important CVE-2017-7768 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in Graphite 2 version 1.3.10. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. Moderate CVE-2017-7778 SUSE bug 1043960 SUSE bug 1044239 SUSE bug 1044240 SUSE bug 1044241 SUSE bug 1044242 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs were reported in Firefox 54, Firefox ESR 52.2, and Thunderbird 52.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7779 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Moderate CVE-2017-7782 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7784 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7785 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7786 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Moderate CVE-2017-7787 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA On pages containing an iframe, the "data:" protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Moderate CVE-2017-7791 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7792 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. Important CVE-2017-7793 SUSE bug 1060445 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. This vulnerability affects Firefox ESR < 52.3 and Firefox < 55. Important CVE-2017-7798 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7800 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur while re-computing layout for a "marquee" element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7801 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7802 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA When a page's content security policy (CSP) header contains a "sandbox" directive, other directives are ignored. This results in the incorrect enforcement of CSP. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Moderate CVE-2017-7803 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7804 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. Important CVE-2017-7805 SUSE bug 1060445 SUSE bug 1061005 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55. Important CVE-2017-7807 SUSE bug 1052829 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs were reported in Firefox 55 and Firefox ESR 52.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. Important CVE-2017-7810 SUSE bug 1060445 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious sites to lure users into downloading executables that would otherwise be detected as suspicious. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. Important CVE-2017-7814 SUSE bug 1060445 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications (ARIA) elements within containers through the DOM. This results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. Important CVE-2017-7818 SUSE bug 1060445 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur in design mode when image objects are resized if objects referenced during the resizing have been freed from memory. This results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. Important CVE-2017-7819 SUSE bug 1060445 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. Important CVE-2017-7823 SUSE bug 1060445 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow occurs when drawing and validating elements with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. Important CVE-2017-7824 SUSE bug 1060445 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Several fonts on OS X display some Tibetan and Arabic characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. Important CVE-2017-7825 SUSE bug 1060445 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs were reported in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. Important CVE-2017-7826 SUSE bug 1068101 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur when flushing and resizing layout because the "PressShell" object has been freed while still in use. This results in a potentially exploitable crash during these operations. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. Important CVE-2017-7828 SUSE bug 1068101 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. Important CVE-2017-7830 SUSE bug 1068101 SUSE Linux Enterprise Server 11 SP3-TERADATA International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function. Important CVE-2017-7867 SUSE bug 1034678 SUSE bug 1123121 SUSE Linux Enterprise Server 11 SP3-TERADATA International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function. Important CVE-2017-7868 SUSE bug 1034674 SUSE bug 1123121 SUSE Linux Enterprise Server 11 SP3-TERADATA GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10. Critical CVE-2017-7869 SUSE bug 1034173 SUSE bug 1038337 SUSE bug 1149679 SUSE Linux Enterprise Server 11 SP3-TERADATA The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information. Low CVE-2017-7890 SUSE bug 1050241 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadSGIImage function in sgi.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file. Moderate CVE-2017-7941 SUSE bug 1034876 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadAVSImage function in avs.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file. Moderate CVE-2017-7942 SUSE bug 1034872 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadSVGImage function in svg.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file. Moderate CVE-2017-7943 SUSE bug 1034870 SUSE bug 1036985 SUSE Linux Enterprise Server 11 SP3-TERADATA The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file. Important CVE-2017-7960 SUSE bug 1034481 SUSE Linux Enterprise Server 11 SP3-TERADATA ** DISPUTED ** The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco 0.6.11 and 0.6.12 has an "outside the range of representable values of type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CSS file. NOTE: third-party analysis reports "This is not a security issue in my view. The conversion surely is truncating the double into a long value, but there is no impact as the value is one of the RGB components." Low CVE-2017-7961 SUSE bug 1034482 SUSE bug 1132069 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation. Moderate CVE-2017-7980 SUSE bug 1035406 SUSE bug 1035483 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL. Moderate CVE-2017-7995 SUSE bug 1033948 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable. Moderate CVE-2017-8086 SUSE bug 1035950 SUSE Linux Enterprise Server 11 SP3-TERADATA FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c. Moderate CVE-2017-8105 SUSE bug 1034186 SUSE bug 1035807 SUSE bug 1036457 SUSE bug 1079459 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients). Moderate CVE-2017-8109 SUSE bug 1035912 SUSE Linux Enterprise Server 11 SP3-TERADATA FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c. Important CVE-2017-8287 SUSE bug 1034186 SUSE bug 1035807 SUSE bug 1036457 SUSE bug 1079459 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 5 Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017. Important CVE-2017-8291 SUSE bug 1036453 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture. Low CVE-2017-8309 SUSE bug 1037242 SUSE bug 1037243 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8344 SUSE bug 1036978 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadMNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8345 SUSE bug 1036980 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadDCMImage function in dcm.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8346 SUSE bug 1036981 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8348 SUSE bug 1036983 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadSFWImage function in sfw.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8349 SUSE bug 1036984 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8350 SUSE bug 1036985 SUSE bug 1053919 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8351 SUSE bug 1036986 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8352 SUSE bug 1036987 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8353 SUSE bug 1036988 SUSE bug 1055010 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8354 SUSE bug 1036989 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8355 SUSE bug 1036990 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8357 SUSE bug 1036976 SUSE Linux Enterprise Server 11 SP3-TERADATA The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. Moderate CVE-2017-8361 SUSE bug 1036944 SUSE Linux Enterprise Server 11 SP3-TERADATA The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file. Moderate CVE-2017-8362 SUSE bug 1036943 SUSE Linux Enterprise Server 11 SP3-TERADATA The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file. Moderate CVE-2017-8363 SUSE bug 1036945 SUSE Linux Enterprise Server 11 SP3-TERADATA The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file. Moderate CVE-2017-8365 SUSE bug 1036946 SUSE Linux Enterprise Server 11 SP3-TERADATA The function named ReadICONImage in coders\icon.c in ImageMagick 7.0.5-5 has a memory leak vulnerability which can cause memory exhaustion via a crafted ICON file. Moderate CVE-2017-8765 SUSE bug 1037527 SUSE bug 1053919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb. Important CVE-2017-8779 SUSE bug 1037559 SUSE bug 1037930 SUSE bug 1101814 SUSE bug 798028 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. Important CVE-2017-8804 SUSE bug 1037559 SUSE bug 1037930 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state. Important CVE-2017-8824 SUSE bug 1070771 SUSE bug 1092904 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-6, the ReadBMPImage function in bmp.c:1379 allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-8830 SUSE bug 1038000 SUSE bug 1053919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability. Moderate CVE-2017-8831 SUSE bug 1037994 SUSE bug 1053611 SUSE bug 1061936 SUSE bug 1087082 SUSE Linux Enterprise Server 11 SP3-TERADATA The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (memory allocation error) via a crafted CSS file. Low CVE-2017-8834 SUSE bug 1043898 SUSE bug 1043899 SUSE Linux Enterprise Server 11 SP3-TERADATA The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted CSS file. Low CVE-2017-8871 SUSE bug 1043898 SUSE bug 1043899 SUSE Linux Enterprise Server 11 SP3-TERADATA The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure. Moderate CVE-2017-8872 SUSE bug 1038444 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. Important CVE-2017-8890 SUSE bug 1038544 SUSE bug 1038564 SUSE bug 1039883 SUSE bug 1039885 SUSE bug 1040069 SUSE bug 1042364 SUSE bug 1051906 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-215. Important CVE-2017-8905 SUSE bug 1034845 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow. Moderate CVE-2017-8924 SUSE bug 1037182 SUSE bug 1038981 SUSE bug 1038982 SUSE bug 870618 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling. Moderate CVE-2017-8925 SUSE bug 1037183 SUSE bug 1038981 SUSE bug 1038982 SUSE bug 870618 SUSE Linux Enterprise Server 11 SP3-TERADATA The gmp plugin in strongSwan before 5.5.3 does not properly validate RSA public keys before calling mpz_powm_sec, which allows remote peers to cause a denial of service (floating point exception and process crash) via a crafted certificate. Moderate CVE-2017-9022 SUSE bug 1039514 SUSE Linux Enterprise Server 11 SP3-TERADATA The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE types when the x509 plugin is enabled, which allows remote attackers to cause a denial of service (infinite loop) via a crafted certificate. Moderate CVE-2017-9023 SUSE bug 1039515 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash. Moderate CVE-2017-9047 SUSE bug 1039063 SUSE bug 1039066 SUSE bug 1039657 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash. Moderate CVE-2017-9048 SUSE bug 1039064 SUSE bug 1039066 SUSE bug 1039658 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398. Important CVE-2017-9049 SUSE bug 1039063 SUSE bug 1039064 SUSE bug 1039066 SUSE bug 1039659 SUSE bug 1039661 SUSE bug 1069690 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. Moderate CVE-2017-9050 SUSE bug 1039066 SUSE bug 1039069 SUSE bug 1039661 SUSE bug 1069433 SUSE bug 1069690 SUSE bug 1123919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Moderate CVE-2017-9074 SUSE bug 1039882 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. Moderate CVE-2017-9075 SUSE bug 1038544 SUSE bug 1039883 SUSE bug 1051906 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. Moderate CVE-2017-9076 SUSE bug 1038544 SUSE bug 1039885 SUSE bug 1040069 SUSE bug 1051906 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. Moderate CVE-2017-9077 SUSE bug 1038544 SUSE bug 1040069 SUSE bug 1042364 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c. Moderate CVE-2017-9098 SUSE bug 1040025 SUSE bug 1053919 SUSE Linux Enterprise Server 11 SP3-TERADATA In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. Moderate CVE-2017-9110 SUSE bug 1040107 SUSE bug 1040112 SUSE Linux Enterprise Server 11 SP3-TERADATA In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code. Moderate CVE-2017-9111 SUSE bug 1040109 SUSE Linux Enterprise Server 11 SP3-TERADATA In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. Moderate CVE-2017-9112 SUSE bug 1040112 SUSE Linux Enterprise Server 11 SP3-TERADATA In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code. Moderate CVE-2017-9113 SUSE bug 1040113 SUSE Linux Enterprise Server 11 SP3-TERADATA In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash. Moderate CVE-2017-9114 SUSE bug 1040114 SUSE Linux Enterprise Server 11 SP3-TERADATA In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code. Moderate CVE-2017-9115 SUSE bug 1040115 SUSE Linux Enterprise Server 11 SP3-TERADATA In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff. Moderate CVE-2017-9117 SUSE bug 1040080 SUSE bug 1150480 SUSE Linux Enterprise Server 11 SP3-TERADATA PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call. Moderate CVE-2017-9118 SUSE bug 1105466 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-7 Q16, a crafted file could trigger an assertion failure in the ResetImageProfileIterator function in MagickCore/profile.c because of missing checks in the ReadDDSImage function in coders/dds.c. Moderate CVE-2017-9141 SUSE bug 1040303 SUSE bug 1053919 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-7 Q16, a crafted file could trigger an assertion failure in the WriteBlob function in MagickCore/blob.c because of missing checks in the ReadOneJNGImage function in coders/png.c. Moderate CVE-2017-9142 SUSE bug 1036985 SUSE bug 1040304 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadARTImage function in coders/art.c allows attackers to cause a denial of service (memory leak) via a crafted .art file. Moderate CVE-2017-9143 SUSE bug 1040306 SUSE bug 1053919 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, a crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c. Moderate CVE-2017-9144 SUSE bug 1040332 SUSE bug 1048936 SUSE bug 1053919 SUSE Linux Enterprise Server 11 SP3-TERADATA LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service (crash) via a crafted TIFF file. Moderate CVE-2017-9147 SUSE bug 1040322 SUSE bug 1150480 SUSE Linux Enterprise Server 11 SP3-TERADATA The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS. Important CVE-2017-9148 SUSE bug 1041445 SUSE bug 1046141 SUSE Linux Enterprise Server 11 SP3-TERADATA libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file. Moderate CVE-2017-9216 SUSE bug 1040643 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer. Moderate CVE-2017-9224 SUSE bug 1040891 SUSE bug 1044976 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption. Important CVE-2017-9226 SUSE bug 1040889 SUSE bug 1044976 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer. Moderate CVE-2017-9227 SUSE bug 1040883 SUSE bug 1044976 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption. Moderate CVE-2017-9228 SUSE bug 1068376 SUSE bug 1069606 SUSE bug 1069607 SUSE bug 1076391 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition. Moderate CVE-2017-9229 SUSE bug 1068376 SUSE bug 1069631 SUSE bug 1069632 SUSE bug 1076391 SUSE Linux Enterprise Server 11 SP3-TERADATA XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. Moderate CVE-2017-9233 SUSE bug 1030296 SUSE bug 1047236 SUSE bug 1073350 SUSE bug 1123115 SUSE bug 983216 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls. Important CVE-2017-9242 SUSE bug 1041431 SUSE bug 1042892 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-6 Q16, the ReadMNGImage function in coders/png.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-9261 SUSE bug 1043354 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-6 Q16, the ReadJNGImage function in coders/png.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-9262 SUSE bug 1043353 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different vulnerability than CVE-2017-6505. Low CVE-2017-9330 SUSE bug 1042159 SUSE bug 1042160 SUSE bug 1043157 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the MSNIP dissector misuses a NULL pointer. This was addressed in epan/dissectors/packet-msnip.c by validating an IPv4 address. Moderate CVE-2017-9343 SUSE bug 1042309 SUSE bug 1042324 SUSE bug 1042330 SUSE bug 1042331 SUSE bug 1077080 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bluetooth L2CAP dissector could divide by zero. This was addressed in epan/dissectors/packet-btl2cap.c by validating an interval value. Moderate CVE-2017-9344 SUSE bug 1042298 SUSE bug 1042324 SUSE bug 1042330 SUSE bug 1042331 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DNS dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-dns.c by trying to detect self-referencing pointers. Moderate CVE-2017-9345 SUSE bug 1042300 SUSE bug 1042324 SUSE bug 1042330 SUSE bug 1042331 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the SoulSeek dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-slsk.c by making loop bounds more explicit. Moderate CVE-2017-9346 SUSE bug 1042301 SUSE bug 1042324 SUSE bug 1042330 SUSE bug 1042331 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with a NULL pointer dereference. This was addressed in epan/dissectors/asn1/ros/packet-ros-template.c by validating an OID. Moderate CVE-2017-9347 SUSE bug 1042308 SUSE bug 1042324 SUSE bug 1042330 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past the end of a buffer. This was addressed in epan/dissectors/packet-dof.c by validating a size value. Moderate CVE-2017-9348 SUSE bug 1042303 SUSE bug 1042324 SUSE bug 1042330 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector has an infinite loop. This was addressed in epan/dissectors/packet-dcm.c by validating a length value. Moderate CVE-2017-9349 SUSE bug 1042305 SUSE bug 1042324 SUSE bug 1042330 SUSE bug 1042331 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-opensafety.c by checking for a negative length. Moderate CVE-2017-9350 SUSE bug 1042299 SUSE bug 1042324 SUSE bug 1042330 SUSE bug 1042331 SUSE bug 1049255 SUSE bug 1049621 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissector could read past the end of a buffer. This was addressed in epan/dissectors/packet-bootp.c by extracting the Vendor Class Identifier more carefully. Moderate CVE-2017-9351 SUSE bug 1042302 SUSE bug 1042324 SUSE bug 1042330 SUSE bug 1042331 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bazaar dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-bzr.c by ensuring that backwards parsing cannot occur. Moderate CVE-2017-9352 SUSE bug 1042304 SUSE bug 1042324 SUSE bug 1042330 SUSE bug 1042331 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. This was addressed in epan/dissectors/packet-ipv6.c by validating an IPv6 address. Moderate CVE-2017-9353 SUSE bug 1042306 SUSE bug 1042324 SUSE bug 1042330 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector could crash. This was addressed in epan/dissectors/packet-rgmp.c by validating an IPv4 address. Moderate CVE-2017-9354 SUSE bug 1042307 SUSE bug 1042324 SUSE bug 1042330 SUSE bug 1042331 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device. Low CVE-2017-9373 SUSE bug 1042801 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing. Low CVE-2017-9375 SUSE bug 1042800 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-9405 SUSE bug 1042911 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-9407 SUSE bug 1042824 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, the ReadMPCImage function in mpc.c allows attackers to cause a denial of service (memory leak) via a crafted file. Moderate CVE-2017-9409 SUSE bug 1042948 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file. Moderate CVE-2017-9439 SUSE bug 1042826 SUSE bug 1053919 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-8 Q16, an assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file. Moderate CVE-2017-9500 SUSE bug 1043290 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file. Moderate CVE-2017-9501 SUSE bug 1043289 SUSE bug 1053919 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing. Low CVE-2017-9503 SUSE bug 1043296 SUSE bug 1043297 SUSE bug 1043312 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Ins_MIRP function in base/ttinterp.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted document. Important CVE-2017-9611 SUSE bug 1050893 SUSE Linux Enterprise Server 11 SP3-TERADATA The Ins_IP function in base/ttinterp.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via a crafted document. Important CVE-2017-9612 SUSE bug 1050891 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion (uncontrolled recursion) in the dissect_daap_one_tag function in epan/dissectors/packet-daap.c in the DAAP dissector. Moderate CVE-2017-9617 SUSE bug 1044417 SUSE Linux Enterprise Server 11 SP3-TERADATA The Ins_MDRP function in base/ttinterp.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted document. Important CVE-2017-9726 SUSE bug 1050889 SUSE Linux Enterprise Server 11 SP3-TERADATA The gx_ttfReader__Read function in base/gxttfb.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted document. Important CVE-2017-9727 SUSE bug 1050888 SUSE Linux Enterprise Server 11 SP3-TERADATA The Ins_JMPR function in base/ttinterp.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted document. Important CVE-2017-9739 SUSE bug 1050887 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows remote attackers to cause a denial of service (stack exhaustion) in the dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-io.c. Moderate CVE-2017-9766 SUSE bug 1045341 SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. Moderate CVE-2017-9788 SUSE bug 1048576 SUSE bug 1052635 SUSE bug 1060041 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c. Moderate CVE-2017-9798 SUSE bug 1058058 SUSE bug 1060757 SUSE bug 1077582 SUSE bug 1078450 SUSE bug 1089997 SUSE bug 1095150 SUSE Linux Enterprise Server 11 SP3-TERADATA cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call. Moderate CVE-2017-9814 SUSE bug 1049092 SUSE Linux Enterprise Server 11 SP3-TERADATA The gs_alloc_ref_array function in psi/ialloc.c in Artifex Ghostscript 9.21 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PostScript document. This is related to a lack of an integer overflow check in base/gsalloc.c. Important CVE-2017-9835 SUSE bug 1050879 SUSE Linux Enterprise Server 11 SP3-TERADATA In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. Important CVE-2017-9935 SUSE bug 1046077 SUSE bug 1074318 SUSE bug 1108606 SUSE bug 1110358 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA clamscan in ClamAV before 0.99.4 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause an out-of-bounds read when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition. This concerns pdf_parse_array and pdf_parse_string in libclamav/pdfng.c. Cisco Bug IDs: CSCvh91380, CSCvh91400. Moderate CVE-2018-0202 SUSE bug 1083915 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV before 0.100.1 has an HWP integer overflow with a resultant infinite loop via a crafted Hangul Word Processor file. This is in parsehwp3_paragraph() in libclamav/hwp.c. Important CVE-2018-0360 SUSE bug 1101410 SUSE bug 1103091 SUSE bug 1103092 SUSE bug 1103099 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV before 0.100.1 lacks a PDF object length check, resulting in an unreasonably long time to parse a relatively small file. Moderate CVE-2018-0361 SUSE bug 1101410 SUSE bug 1101412 SUSE bug 1103091 SUSE bug 1103092 SUSE bug 1103099 SUSE Linux Enterprise Server 11 SP3-TERADATA GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line. Moderate CVE-2018-0494 SUSE bug 1092061 SUSE bug 1123797 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Moderate CVE-2018-0618 SUSE bug 1099510 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). Moderate CVE-2018-0732 SUSE bug 1077628 SUSE bug 1097158 SUSE bug 1099502 SUSE bug 1106692 SUSE bug 1108542 SUSE bug 1112097 SUSE bug 1122198 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). Moderate CVE-2018-0734 SUSE bug 1113534 SUSE bug 1113652 SUSE bug 1113742 SUSE bug 1122198 SUSE bug 1122212 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o). Moderate CVE-2018-0737 SUSE bug 1089039 SUSE bug 1089041 SUSE bug 1089044 SUSE bug 1089045 SUSE bug 1108542 SUSE bug 1123780 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). Important CVE-2018-0739 SUSE bug 1087102 SUSE bug 1089997 SUSE bug 1108542 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. Important CVE-2018-1000001 SUSE bug 1074293 SUSE bug 1099047 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition. Moderate CVE-2018-1000004 SUSE bug 1076017 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-TERADATA libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. Moderate CVE-2018-1000007 SUSE bug 1077001 SUSE bug 1145903 SUSE Linux Enterprise Server 11 SP3-TERADATA The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later. Moderate CVE-2018-1000024 SUSE bug 1077003 SUSE Linux Enterprise Server 11 SP3-TERADATA The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later. Moderate CVE-2018-1000027 SUSE bug 1077006 SUSE Linux Enterprise Server 11 SP3-TERADATA Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE. Important CVE-2018-1000030 SUSE bug 1079300 SUSE Linux Enterprise Server 11 SP3-TERADATA A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution. Important CVE-2018-1000035 SUSE bug 1076531 SUSE bug 1080074 SUSE bug 1149684 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ClamAV version version 0.99.3 contains a Out of bounds heap memory read vulnerability in XAR parser, function xar_hash_check() that can result in Leaking of memory, may help in developing exploit chains.. This attack appear to be exploitable via The victim must scan a crafted XAR file. This vulnerability appears to have been fixed in after commit d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6. Moderate CVE-2018-1000085 SUSE bug 1082858 SUSE bug 1083915 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse. Moderate CVE-2018-1000120 SUSE bug 1084521 SUSE bug 1101811 SUSE bug 1112526 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service Moderate CVE-2018-1000121 SUSE bug 1084524 SUSE bug 1085215 SUSE bug 1101811 SUSE bug 1112526 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage Moderate CVE-2018-1000122 SUSE bug 1084532 SUSE bug 1101811 SUSE bug 1112526 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time. Moderate CVE-2018-1000156 SUSE bug 1088420 SUSE bug 1093615 SUSE bug 1101128 SUSE bug 1142513 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f. Important CVE-2018-1000199 SUSE bug 1089895 SUSE bug 1090036 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ** DISPUTED ** Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it "virtually impossible to exploit." Moderate CVE-2018-1000204 SUSE bug 1096728 SUSE bug 1105412 SUSE Linux Enterprise Server 11 SP3-TERADATA curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0. Moderate CVE-2018-1000301 SUSE bug 1092098 SUSE bug 1122464 SUSE Linux Enterprise Server 11 SP3-TERADATA GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file. Moderate CVE-2018-1000654 SUSE bug 1105435 SUSE Linux Enterprise Server 11 SP3-TERADATA Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace. Moderate CVE-2018-1000802 SUSE bug 1109663 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultID: CVE-2017-6519. Reason: This candidate is a duplicate of CVE-2017-6519. Notes: All CVE users should reference CVE-2017-6519 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Moderate CVE-2018-1000845 SUSE bug 1120281 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value. Moderate CVE-2018-10087 SUSE bug 1087082 SUSE bug 1089608 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument. Moderate CVE-2018-10124 SUSE bug 1087082 SUSE bug 1089752 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng file. Moderate CVE-2018-10177 SUSE bug 1089781 SUSE Linux Enterprise Server 11 SP3-TERADATA The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. Important CVE-2018-10194 SUSE bug 1090099 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2018-10195 SUSE bug 1090051 SUSE bug 1149678 SUSE Linux Enterprise Server 11 SP3-TERADATA The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. Moderate CVE-2018-10360 SUSE bug 1096974 SUSE bug 1096984 SUSE bug 1126118 SUSE Linux Enterprise Server 11 SP3-TERADATA mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not validate the number of channels, which allows remote attackers to cause a denial of service (heap-based buffer overflow or over-read) or possibly have unspecified other impact via a crafted file. Moderate CVE-2018-10392 SUSE bug 1091070 SUSE Linux Enterprise Server 11 SP3-TERADATA bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-based buffer over-read. Moderate CVE-2018-10393 SUSE bug 1091072 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (out-of-bounds zero write and hypervisor crash) via unexpected INT 80 processing, because of an incorrect fix for CVE-2017-5754. Moderate CVE-2018-10471 SUSE bug 1089635 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users (in certain configurations) to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot. Moderate CVE-2018-10472 SUSE bug 1089152 SUSE Linux Enterprise Server 11 SP3-TERADATA All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash. Moderate CVE-2018-1050 SUSE bug 1081741 SUSE Linux Enterprise Server 11 SP3-TERADATA In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file. Moderate CVE-2018-1053 SUSE bug 1077983 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process. Important CVE-2018-10545 SUSE bug 1091367 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences. Moderate CVE-2018-10546 SUSE bug 1091363 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712. Moderate CVE-2018-10547 SUSE bug 1091362 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value. Moderate CVE-2018-10548 SUSE bug 1091355 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected. Moderate CVE-2018-1058 SUSE bug 1081925 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service. Low CVE-2018-1060 SUSE bug 1088009 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. Moderate CVE-2018-1061 SUSE bug 1088004 SUSE Linux Enterprise Server 11 SP3-TERADATA Context relabeling of filesystems is vulnerable to symbolic link attack, allowing a local, unprivileged malicious entity to change the SELinux context of an arbitrary file to a context with few restrictions. This only happens when the relabeling process is done, usually when taking SELinux state from disabled to enable (permissive or enforcing). The issue was found in policycoreutils 2.5-11. Moderate CVE-2018-1063 SUSE bug 1083624 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent. Moderate CVE-2018-1064 SUSE bug 1076500 SUSE bug 1083625 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls. Moderate CVE-2018-10675 SUSE bug 1087082 SUSE bug 1091755 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. Important CVE-2018-1068 SUSE bug 1085107 SUSE bug 1085114 SUSE bug 1087082 SUSE bug 1123903 SUSE Linux Enterprise Server 11 SP3-TERADATA TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff. Low CVE-2018-10779 SUSE bug 1092480 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. Low CVE-2018-10805 SUSE bug 1095812 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. Moderate CVE-2018-10839 SUSE bug 1110910 SUSE bug 1110924 SUSE Linux Enterprise Server 11 SP3-TERADATA A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets. Moderate CVE-2018-10846 SUSE bug 1105460 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable. Moderate CVE-2018-10858 SUSE bug 1103411 SUSE Linux Enterprise Server 11 SP3-TERADATA perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter. Moderate CVE-2018-10860 SUSE bug 1099497 SUSE Linux Enterprise Server 11 SP3-LTSS kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest. Moderate CVE-2018-1087 SUSE bug 1087088 SUSE Linux Enterprise Server 11 SP3-TERADATA ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: this candidate is not about any specific product, protocol, or design, that falls into the scope of the assigning CNA. Notes: None. Moderate CVE-2018-10886 SUSE bug 1100053 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation. Important CVE-2018-10902 SUSE bug 1105322 SUSE bug 1105323 SUSE Linux Enterprise Server 11 SP3-TERADATA In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects. Moderate CVE-2018-10906 SUSE bug 1101797 SUSE bug 1127346 SUSE bug 1127350 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected. Important CVE-2018-10915 SUSE bug 1104199 SUSE bug 1140876 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. Critical CVE-2018-10931 SUSE bug 1104189 SUSE bug 1104190 SUSE bug 1104287 SUSE bug 1105440 SUSE bug 1105442 SUSE bug 1130105 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory. Moderate CVE-2018-10940 SUSE bug 1087082 SUSE bug 1092903 SUSE bug 1107689 SUSE bug 1113751 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request. Moderate CVE-2018-10981 SUSE bug 1090823 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection. Important CVE-2018-10982 SUSE bug 1090822 SUSE Linux Enterprise Server 11 SP3-TERADATA zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user. Important CVE-2018-1100 SUSE bug 1089030 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in libjpeg 9a. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file. Low CVE-2018-11212 SUSE bug 1122299 SUSE Linux Enterprise Server 11 SP3-TERADATA procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function. Low CVE-2018-1122 SUSE bug 1087082 SUSE bug 1092100 SUSE bug 1093158 SUSE bug 1123135 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service). Low CVE-2018-1123 SUSE bug 1087082 SUSE bug 1092100 SUSE bug 1093158 SUSE bug 1123135 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. Important CVE-2018-11236 SUSE bug 1094161 SUSE bug 1118435 SUSE Linux Enterprise Server 11 SP3-TERADATA procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. This allows a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users. Low CVE-2018-1124 SUSE bug 1087082 SUSE bug 1092100 SUSE bug 1093158 SUSE bug 1123135 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash. Low CVE-2018-1125 SUSE bug 1087082 SUSE bug 1092100 SUSE bug 1093158 SUSE bug 1123135 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-23 Q16 x86_64 2018-01-24, there is a heap-based buffer over-read in ReadSUNImage in coders/sun.c, which allows attackers to cause a denial of service (application crash in SetGrayscaleImage in MagickCore/quantize.c) via a crafted SUN image file. Moderate CVE-2018-11251 SUSE bug 1094237 SUSE Linux Enterprise Server 11 SP3-TERADATA procps-ng before version 3.3.15 is vulnerable to an incorrect integer size in proc/alloc.* leading to truncation/integer overflow issues. This flaw is related to CVE-2018-1124. Low CVE-2018-1126 SUSE bug 1087082 SUSE bug 1092100 SUSE bug 1093158 SUSE bug 1123135 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls. Moderate CVE-2018-1130 SUSE bug 1092904 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0, the IEEE 1905.1a dissector could crash. This was addressed in epan/dissectors/packet-ieee1905.c by making a certain correction to string handling. Moderate CVE-2018-11354 SUSE bug 1094301 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0, the RTCP dissector could crash. This was addressed in epan/dissectors/packet-rtcp.c by avoiding a buffer overflow for packet status chunks. Moderate CVE-2018-11355 SUSE bug 1094301 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the DNS dissector could crash. This was addressed in epan/dissectors/packet-dns.c by avoiding a NULL pointer dereference for an empty name in an SRV record. Moderate CVE-2018-11356 SUSE bug 1094301 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LTP dissector and other dissectors could consume excessive memory. This was addressed in epan/tvbuff.c by rejecting negative lengths. Moderate CVE-2018-11357 SUSE bug 1094301 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931 dissector could crash. This was addressed in epan/dissectors/packet-q931.c by avoiding a use-after-free after a malformed packet prevented certain cleanup. Moderate CVE-2018-11358 SUSE bug 1094301 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the RRC dissector and other dissectors could crash. This was addressed in epan/proto.c by avoiding a NULL pointer dereference. Moderate CVE-2018-11359 SUSE bug 1094301 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the GSM A DTAP dissector could crash. This was addressed in epan/dissectors/packet-gsm_a_dtap.c by fixing an off-by-one error that caused a buffer overflow. Moderate CVE-2018-11360 SUSE bug 1094301 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0, the IEEE 802.11 protocol dissector could crash. This was addressed in epan/crypt/dot11decrypt.c by avoiding a buffer overflow during FTE processing in Dot11DecryptTDLSDeriveKey. Moderate CVE-2018-11361 SUSE bug 1094301 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LDSS dissector could crash. This was addressed in epan/dissectors/packet-ldss.c by avoiding a buffer over-read upon encountering a missing '\0' character. Moderate CVE-2018-11362 SUSE bug 1094301 SUSE Linux Enterprise Server 11 SP3-TERADATA libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image. Moderate CVE-2018-1152 SUSE bug 1098155 SUSE bug 1149960 SUSE Linux Enterprise Server 11 SP3-TERADATA Liblouis 3.5.0 has a stack-based Buffer Overflow in the function parseChars in compileTranslationTable.c, a different vulnerability than CVE-2018-11440. Moderate CVE-2018-11683 SUSE bug 1095827 SUSE bug 1096665 SUSE Linux Enterprise Server 11 SP3-TERADATA Liblouis 3.5.0 has a stack-based Buffer Overflow in the function includeFile in compileTranslationTable.c. Moderate CVE-2018-11684 SUSE bug 1095826 SUSE Linux Enterprise Server 11 SP3-TERADATA Liblouis 3.5.0 has a stack-based Buffer Overflow in the function compileHyphenation in compileTranslationTable.c. Moderate CVE-2018-11685 SUSE bug 1095825 SUSE Linux Enterprise Server 11 SP3-TERADATA This vulnerability allows remote attackers to deny service on vulnerable installations of The Squid Software Foundation Squid 3.5.27-20180318. Authentication is not required to exploit this vulnerability. The specific flaw exists within ClientRequestContext::sslBumpAccessCheck(). A crafted request can trigger the dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-service condition to users of the system. Was ZDI-CAN-6088. Important CVE-2018-1172 SUSE bug 1090089 SUSE Linux Enterprise Server 11 SP3-TERADATA The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical. Important CVE-2018-11759 SUSE bug 1114612 SUSE Linux Enterprise Server 11 SP3-TERADATA When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. Moderate CVE-2018-11784 SUSE bug 1110850 SUSE bug 1122212 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. Moderate CVE-2018-11806 SUSE bug 1096223 SUSE bug 1096224 SUSE Linux Enterprise Server 11 SP3-TERADATA libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF. Moderate CVE-2018-11813 SUSE bug 1096209 SUSE bug 1149960 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. Moderate CVE-2018-12015 SUSE bug 1096718 SUSE bug 1099497 SUSE bug 1099507 SUSE bug 1106717 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. Important CVE-2018-12020 SUSE bug 1096745 SUSE bug 1101134 SUSE Linux Enterprise Server 11 SP3-TERADATA Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf Moderate CVE-2018-12126 SUSE bug 1103186 SUSE bug 1111331 SUSE bug 1132686 SUSE bug 1135409 SUSE bug 1135522 SUSE bug 1135524 SUSE bug 1137916 SUSE bug 1149725 SUSE bug 1149726 SUSE bug 1149729 SUSE Linux Enterprise Server 11 SP3-TERADATA Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf Moderate CVE-2018-12127 SUSE bug 1103186 SUSE bug 1111331 SUSE bug 1132686 SUSE bug 1135409 SUSE Linux Enterprise Server 11 SP3-TERADATA Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf Moderate CVE-2018-12130 SUSE bug 1103186 SUSE bug 1111331 SUSE bug 1132686 SUSE bug 1135409 SUSE bug 1137916 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr. Moderate CVE-2018-12233 SUSE bug 1087082 SUSE bug 1097234 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source. Moderate CVE-2018-12327 SUSE bug 1098531 SUSE bug 1107887 SUSE bug 1111552 SUSE bug 1111853 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow can occur when rendering canvas content while adjusting the height and width of the canvas element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Important CVE-2018-12359 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Important CVE-2018-12360 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Important CVE-2018-12362 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Important CVE-2018-12363 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Important CVE-2018-12364 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Important CVE-2018-12365 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Important CVE-2018-12366 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems. *Note: this issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Moderate CVE-2018-12368 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option -Dcom.ibm.tools.attach.enable=no. Important CVE-2018-12539 SUSE bug 1101645 SUSE bug 1101656 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file. Moderate CVE-2018-12599 SUSE bug 1098546 SUSE bug 1117463 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file. Moderate CVE-2018-12600 SUSE bug 1098545 SUSE bug 1098546 SUSE bug 1117463 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket. Moderate CVE-2018-12617 SUSE bug 1098735 SUSE bug 1098744 SUSE Linux Enterprise Server 11 SP3-TERADATA exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file) because it closes a stream that it is not responsible for closing. The vulnerable code is reachable through the PHP exif_read_data function. Moderate CVE-2018-12882 SUSE bug 1099098 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. All Xen versions from 3.4 onwards are vulnerable. Xen versions 3.3 and earlier are vulnerable to an even wider class of attacks, due to them lacking preemption checks altogether in the affected code paths. Only x86 systems are affected. ARM systems are not affected. Only multi-vCPU x86 PV guests can leverage the vulnerability. x86 HVM or PVH guests as well as x86 single-vCPU PV ones cannot leverage the vulnerability. Important CVE-2018-12891 SUSE bug 1097521 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. All Xen systems which have applied the XSA-260 fix are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users. Important CVE-2018-12893 SUSE bug 1097522 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls. Low CVE-2018-12896 SUSE bug 1099922 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file. Moderate CVE-2018-12900 SUSE bug 1099257 SUSE bug 1125113 SUSE bug 1150480 SUSE Linux Enterprise Server 11 SP3-TERADATA A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. Important CVE-2018-1301 SUSE bug 1086817 SUSE Linux Enterprise Server 11 SP3-TERADATA The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. Moderate CVE-2018-1304 SUSE bug 1082480 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used. Low CVE-2018-13053 SUSE bug 1099924 SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. Moderate CVE-2018-1312 SUSE bug 1086775 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used. Moderate CVE-2018-13406 SUSE bug 1098016 SUSE bug 1100418 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service. Low CVE-2018-13785 SUSE bug 1100687 SUSE bug 1112153 SUSE bug 1116574 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site. Moderate CVE-2018-13796 SUSE bug 1101288 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Under certain circumstances, a flaw in the J9 JVM (IBM SDK, Java Technology Edition 7.1 and 8.0) allows untrusted code running under a security manager to elevate its privileges. IBM X-Force ID: 138823. Important CVE-2018-1417 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the MMSE dissector could go into an infinite loop. This was addressed in epan/proto.c by adding offset and length validation. Low CVE-2018-14339 SUSE bug 1101810 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, dissectors that support zlib decompression could crash. This was addressed in epan/tvbuff_zlib.c by rejecting negative lengths to avoid a buffer over-read. Low CVE-2018-14340 SUSE bug 1101804 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the DICOM dissector could go into a large or infinite loop. This was addressed in epan/dissectors/packet-dcm.c by preventing an offset overflow. Low CVE-2018-14341 SUSE bug 1101776 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the BGP protocol dissector could go into a large loop. This was addressed in epan/dissectors/packet-bgp.c by validating Path Attribute lengths. Low CVE-2018-14342 SUSE bug 1101777 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ASN.1 BER dissector could crash. This was addressed in epan/dissectors/packet-ber.c by ensuring that length values do not exceed the maximum signed integer. Low CVE-2018-14343 SUSE bug 1101786 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ISMP dissector could crash. This was addressed in epan/dissectors/packet-ismp.c by validating the IPX address length to avoid a buffer over-read. Low CVE-2018-14344 SUSE bug 1101788 SUSE Linux Enterprise Server 11 SP3-TERADATA libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666 regardless of the configured umask, leading to disclosure of information. Moderate CVE-2018-14348 SUSE bug 1100365 SUSE bug 1149966 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a NO response without a message. Moderate CVE-2018-14349 SUSE bug 1101428 SUSE bug 1101589 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response with a long INTERNALDATE field. Moderate CVE-2018-14350 SUSE bug 1101428 SUSE bug 1101588 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c does not leave room for quote characters, leading to a stack-based buffer overflow. Moderate CVE-2018-14352 SUSE bug 1101428 SUSE bug 1101582 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c has an integer underflow. Moderate CVE-2018-14353 SUSE bug 1101428 SUSE bug 1101581 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription. Critical CVE-2018-14354 SUSE bug 1101428 SUSE bug 1101578 SUSE bug 1101581 SUSE bug 1101589 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/util.c mishandles ".." directory traversal in a mailbox name. Moderate CVE-2018-14355 SUSE bug 1101428 SUSE bug 1101577 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c mishandles a zero-length UID. Moderate CVE-2018-14356 SUSE bug 1101428 SUSE bug 1101576 SUSE bug 1101589 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription. Important CVE-2018-14357 SUSE bug 1101428 SUSE bug 1101573 SUSE bug 1101581 SUSE bug 1101589 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response with a long RFC822.SIZE field. Moderate CVE-2018-14358 SUSE bug 1101428 SUSE bug 1101571 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They have a buffer overflow via base64 data. Moderate CVE-2018-14359 SUSE bug 1101428 SUSE bug 1101570 SUSE bug 1101589 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c does not forbid characters that may have unsafe interaction with message-cache pathnames, as demonstrated by a '/' character. Moderate CVE-2018-14362 SUSE bug 1101428 SUSE bug 1101567 SUSE bug 1101589 SUSE bug 1101593 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1 and 2.4.0 to 2.4.7, the CoAP protocol dissector could crash. This was addressed in epan/dissectors/packet-coap.c by properly checking for a NULL condition. Low CVE-2018-14367 SUSE bug 1101791 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the Bazaar protocol dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-bzr.c by properly handling items that are too long. Low CVE-2018-14368 SUSE bug 1101794 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the HTTP2 dissector could crash. This was addressed in epan/dissectors/packet-http2.c by verifying that header data was found before proceeding to header decompression. Low CVE-2018-14369 SUSE bug 1101800 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.1 and 2.4.0 to 2.4.7, the IEEE 802.11 protocol dissector could crash. This was addressed in epan/crypt/airpdcap.c via bounds checking that prevents a buffer over-read. Low CVE-2018-14370 SUSE bug 1101802 SUSE Linux Enterprise Server 11 SP3-TERADATA A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. Moderate CVE-2018-14404 SUSE bug 1102046 SUSE bug 1148896 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c. Low CVE-2018-14434 SUSE bug 1102003 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c. Low CVE-2018-14435 SUSE bug 1102007 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c. Low CVE-2018-14436 SUSE bug 1102005 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c. Low CVE-2018-14437 SUSE bug 1102004 SUSE Linux Enterprise Server 11 SP3-TERADATA get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. Moderate CVE-2018-14498 SUSE bug 1128712 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). Moderate CVE-2018-14598 SUSE bug 1102073 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact. Moderate CVE-2018-14599 SUSE bug 1102062 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution. Important CVE-2018-14600 SUSE bug 1102068 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory. Moderate CVE-2018-14617 SUSE bug 1102870 SUSE Linux Enterprise Server 11 SP3-TERADATA curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.) Moderate CVE-2018-14618 SUSE bug 1106019 SUSE bug 1112758 SUSE bug 1122464 SUSE Linux Enterprise Server 11 SP3-TERADATA An infinite loop vulnerability was found in libtirpc before version 1.0.2-rc2. With the port to using poll rather than select, exhaustion of file descriptors would cause the server to enter an infinite loop, consuming a large amount of CPU time and denying service to other clients until restarted. Moderate CVE-2018-14621 SUSE bug 1106519 SUSE Linux Enterprise Server 11 SP3-TERADATA A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections. Moderate CVE-2018-14622 SUSE bug 1106517 SUSE bug 968175 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable. Important CVE-2018-14633 SUSE bug 1107829 SUSE bug 1107832 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable. Important CVE-2018-14634 SUSE bug 1108912 SUSE bug 1108963 SUSE bug 1120323 SUSE bug 1122265 SUSE Linux Enterprise Server 11 SP3-TERADATA Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable. Moderate CVE-2018-14647 SUSE bug 1109847 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges. Important CVE-2018-14665 SUSE bug 1111697 SUSE bug 1112020 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames. Moderate CVE-2018-14680 SUSE bug 1102922 SUSE bug 1103032 SUSE bug 1103040 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite. Moderate CVE-2018-14681 SUSE bug 1102922 SUSE bug 1103032 SUSE bug 1103040 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. Moderate CVE-2018-14682 SUSE bug 1102922 SUSE bug 1103032 SUSE bug 1103040 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial of service (use-after-free). Important CVE-2018-14734 SUSE bug 1103119 SUSE bug 1131390 SUSE Linux Enterprise Server 11 SP3-TERADATA exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file. Moderate CVE-2018-14851 SUSE bug 1103659 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c. Moderate CVE-2018-14883 SUSE bug 1103836 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution Critical CVE-2018-15126 SUSE bug 1120114 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains heap out-of-bound write vulnerability in server code of file transfer extension that can result remote code execution Critical CVE-2018-15127 SUSE bug 1120117 SUSE bug 1123828 SUSE bug 1123832 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw in the java.math component in IBM SDK, Java Technology Edition 6.0, 7.0, and 8.0 may allow an attacker to inflict a denial-of-service attack with specially crafted String data. IBM X-Force ID: 141681. Important CVE-2018-1517 SUSE bug 1101645 SUSE bug 1101656 SUSE Linux Enterprise Server 11 SP3-TERADATA Nmap through 7.70, when the -sV option is used, allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted TCP-based service. Moderate CVE-2018-15173 SUSE bug 1104139 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability in ClamAV versions prior to 0.100.2 could allow an attacker to cause a denial of service (DoS) condition. The vulnerability is due to an error related to the MEW unpacker within the "unmew11()" function (libclamav/mew.c), which can be exploited to trigger an invalid read memory access via a specially crafted EXE file. Moderate CVE-2018-15378 SUSE bug 1110723 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Moderate CVE-2018-15473 SUSE bug 1105010 SUSE bug 1106163 SUSE bug 1123133 SUSE bug 1138392 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks. Moderate CVE-2018-15572 SUSE bug 1102517 SUSE bug 1105296 SUSE Linux Enterprise Server 11 SP3-TERADATA arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests. Moderate CVE-2018-15594 SUSE bug 1105348 SUSE bug 1119974 SUSE bug 1133319 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread. Moderate CVE-2018-15746 SUSE bug 1106222 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server. Important CVE-2018-15750 SUSE bug 1113698 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). Critical CVE-2018-15751 SUSE bug 1113698 SUSE bug 1113699 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. Important CVE-2018-15910 SUSE bug 1106173 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.' Moderate CVE-2018-15919 SUSE bug 1105010 SUSE bug 1106163 SUSE bug 1114890 SUSE bug 1115654 SUSE bug 1123133 SUSE bug 1138392 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Bluetooth Attribute Protocol dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by verifying that a dissector for a specific UUID exists. Important CVE-2018-16056 SUSE bug 1106514 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Radiotap dissector could crash. This was addressed in epan/dissectors/packet-ieee80211-radiotap-iter.c by validating iterator operations. Important CVE-2018-16057 SUSE bug 1106514 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Bluetooth AVDTP dissector could crash. This was addressed in epan/dissectors/packet-btavdtp.c by properly initializing a data structure. Important CVE-2018-16058 SUSE bug 1106514 SUSE Linux Enterprise Server 11 SP3-TERADATA dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file. Moderate CVE-2018-16062 SUSE bug 1106390 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7. Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges. Important CVE-2018-16276 SUSE bug 1106095 SUSE bug 1115593 SUSE Linux Enterprise Server 11 SP3-TERADATA ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data uninitialized when processing an XBM file that has a negative pixel value. If the affected code is used as a library loaded into a process that includes sensitive information, that information sometimes can be leaked via the image data. Moderate CVE-2018-16323 SUSE bug 1106855 SUSE Linux Enterprise Server 11 SP3-TERADATA newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. Moderate CVE-2018-16335 SUSE bug 1106853 SUSE Linux Enterprise Server 11 SP3-TERADATA Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. Moderate CVE-2018-16391 SUSE bug 1106998 SUSE Linux Enterprise Server 11 SP3-TERADATA Several buffer overflows when handling responses from a TCOS Card in tcos_select_file in libopensc/card-tcos.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. Moderate CVE-2018-16392 SUSE bug 1106999 SUSE Linux Enterprise Server 11 SP3-TERADATA Several buffer overflows when handling responses from a Gemsafe V1 Smartcard in gemsafe_get_cert_len in libopensc/pkcs15-gemsafeV1.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. Moderate CVE-2018-16393 SUSE bug 1108318 SUSE Linux Enterprise Server 11 SP3-TERADATA libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash. Low CVE-2018-16403 SUSE bug 1107067 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the coders/psd.c ParseImageResourceBlocks function. Low CVE-2018-16412 SUSE bug 1106989 SUSE bug 1106996 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the MagickCore/quantum-private.h PushShortPixel function when called from the coders/psd.c ParseImageResourceBlocks function. Low CVE-2018-16413 SUSE bug 1106989 SUSE bug 1106996 SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. Moderate CVE-2018-16418 SUSE bug 1107039 SUSE Linux Enterprise Server 11 SP3-TERADATA Several buffer overflows when handling responses from a Cryptoflex card in read_public_key in tools/cryptoflex-tool.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. Moderate CVE-2018-16419 SUSE bug 1107107 SUSE Linux Enterprise Server 11 SP3-TERADATA A single byte buffer overflow when handling responses from an esteid Card in sc_pkcs15emu_esteid_init in libopensc/pkcs15-esteid.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. Moderate CVE-2018-16422 SUSE bug 1107038 SUSE Linux Enterprise Server 11 SP3-TERADATA A double free when handling responses from a smartcard in sc_file_set_sec_attr in libopensc/sc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. Moderate CVE-2018-16423 SUSE bug 1107037 SUSE Linux Enterprise Server 11 SP3-TERADATA Various out of bounds reads when handling responses in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to potentially crash the opensc library using programs. Moderate CVE-2018-16427 SUSE bug 1107033 SUSE Linux Enterprise Server 11 SP3-TERADATA GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str(). Moderate CVE-2018-16429 SUSE bug 1107116 SUSE bug 1148890 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. Important CVE-2018-16509 SUSE bug 1107410 SUSE bug 1108027 SUSE bug 1118318 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in "ztype" could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact. Important CVE-2018-16511 SUSE bug 1107426 SUSE bug 1111479 SUSE bug 1112229 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact. Important CVE-2018-16513 SUSE bug 1107412 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in copydevice handling to crash the interpreter or possibly have unspecified other impact. Important CVE-2018-16540 SUSE bug 1107420 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to crash the interpreter. Important CVE-2018-16541 SUSE bug 1107421 SUSE bug 1108027 SUSE bug 1109105 SUSE bug 1111479 SUSE bug 1111480 SUSE bug 1112229 SUSE bug 1117022 SUSE bug 1118455 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during error handling to crash the interpreter. Important CVE-2018-16542 SUSE bug 1107413 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882. Important CVE-2018-1656 SUSE bug 1101645 SUSE bug 1101656 SUSE Linux Enterprise Server 11 SP3-TERADATA The function InsertRow in coders/cut.c in ImageMagick 7.0.7-37 allows remote attackers to cause a denial of service via a crafted image file due to an out-of-bounds write. Moderate CVE-2018-16642 SUSE bug 1107616 SUSE Linux Enterprise Server 11 SP3-TERADATA The functions ReadDCMImage in coders/dcm.c, ReadPWPImage in coders/pwp.c, ReadCALSImage in coders/cals.c, and ReadPICTImage in coders/pict.c in ImageMagick 7.0.8-4 do not check the return value of the fputc function, which allows remote attackers to cause a denial of service via a crafted image file. Low CVE-2018-16643 SUSE bug 1107612 SUSE Linux Enterprise Server 11 SP3-TERADATA There is a missing check for length in the functions ReadDCMImage of coders/dcm.c and ReadPICTImage of coders/pict.c in ImageMagick 7.0.8-11, which allows remote attackers to cause a denial of service via a crafted image. Low CVE-2018-16644 SUSE bug 1107609 SUSE bug 1107612 SUSE bug 1117463 SUSE Linux Enterprise Server 11 SP3-TERADATA There is an excessive memory allocation issue in the functions ReadBMPImage of coders/bmp.c and ReadDIBImage of coders/dib.c in ImageMagick 7.0.8-11, which allows remote attackers to cause a denial of service via a crafted image file. Low CVE-2018-16645 SUSE bug 1107604 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940. Moderate CVE-2018-16658 SUSE bug 1092903 SUSE bug 1107689 SUSE bug 1113751 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in mgetty before 1.2.1. In fax/faxq-helper.c, the function do_activate() does not properly sanitize shell metacharacters to prevent command injection. It is possible to use the ||, &&, or > characters within a file created by the "faxq-helper activate <jobid>" command. Important CVE-2018-16741 SUSE bug 1108752 SUSE bug 1112042 SUSE bug 1149970 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in mgetty before 1.2.1. In contrib/scrts.c, a stack-based buffer overflow can be triggered via a command-line parameter. Low CVE-2018-16742 SUSE bug 1108762 SUSE bug 1112042 SUSE bug 1149970 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in mgetty before 1.2.1. In contrib/next-login/login.c, the command-line parameter username is passed unsanitized to strcpy(), which can cause a stack-based buffer overflow. Low CVE-2018-16743 SUSE bug 1108761 SUSE bug 1112042 SUSE bug 1149970 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow for command injection if untrusted input can reach it, because popen is used. Low CVE-2018-16744 SUSE bug 1108757 SUSE bug 1112042 SUSE bug 1149970 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow a buffer overflow if long untrusted input can reach it. Low CVE-2018-16745 SUSE bug 1108756 SUSE bug 1112042 SUSE bug 1149970 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file. Low CVE-2018-16749 SUSE bug 1108282 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found. Low CVE-2018-16750 SUSE bug 1108283 SUSE Linux Enterprise Server 11 SP3-TERADATA A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. Moderate CVE-2018-16840 SUSE bug 1112758 SUSE bug 1113029 SUSE bug 1122464 SUSE Linux Enterprise Server 11 SP3-TERADATA Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. Moderate CVE-2018-16842 SUSE bug 1113660 SUSE bug 1122464 SUSE Linux Enterprise Server 11 SP3-TERADATA The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c. Moderate CVE-2018-17082 SUSE bug 1108753 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. Low CVE-2018-17100 SUSE bug 1108637 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. Low CVE-2018-17101 SUSE bug 1108627 SUSE Linux Enterprise Server 11 SP3-TERADATA The matchCurrentInput function inside lou_translateString.c of Liblouis prior to 3.7 does not check the input string's length, allowing attackers to cause a denial of service (application crash via out-of-bounds read) by crafting an input file with certain translation dictionaries. Low CVE-2018-17294 SUSE bug 1109319 SUSE Linux Enterprise Server 11 SP3-TERADATA The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. Moderate CVE-2018-17795 SUSE bug 1046077 SUSE bug 1110358 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used. Moderate CVE-2018-17958 SUSE bug 1111006 SUSE bug 1111007 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. Moderate CVE-2018-17962 SUSE bug 1111010 SUSE bug 1111011 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. Moderate CVE-2018-17963 SUSE bug 1111013 SUSE bug 1111014 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-28 has a memory leak vulnerability in WriteSGIImage in coders/sgi.c. Low CVE-2018-17965 SUSE bug 1110747 SUSE bug 1117463 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-28 has a memory leak vulnerability in WritePDBImage in coders/pdb.c. Low CVE-2018-17966 SUSE bug 1110746 SUSE bug 1117463 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents. Low CVE-2018-17972 SUSE bug 1110785 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.7-28 has a memory leak vulnerability in WritePCXImage in coders/pcx.c. Low CVE-2018-18016 SUSE bug 1111072 SUSE bug 1117463 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.8-13 Q16, there is an infinite loop in the ReadBMPImage function of the coders/bmp.c file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. Low CVE-2018-18024 SUSE bug 1111069 SUSE bug 1117463 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19. Moderate CVE-2018-18281 SUSE bug 1113769 SUSE Linux Enterprise Server 11 SP3-TERADATA An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes. Low CVE-2018-18310 SUSE bug 1111973 SUSE Linux Enterprise Server 11 SP3-TERADATA Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to be 12. Low CVE-2018-18384 SUSE bug 1110194 SUSE bug 1148898 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ. Moderate CVE-2018-18386 SUSE bug 1094825 SUSE bug 1112039 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value. Moderate CVE-2018-18438 SUSE bug 1112185 SUSE bug 1112188 SUSE Linux Enterprise Server 11 SP3-TERADATA An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file. Low CVE-2018-18520 SUSE bug 1112726 SUSE Linux Enterprise Server 11 SP3-TERADATA Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled. Low CVE-2018-18521 SUSE bug 1112723 SUSE Linux Enterprise Server 11 SP3-TERADATA There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31. Moderate CVE-2018-18544 SUSE bug 1113064 SUSE Linux Enterprise Server 11 SP3-TERADATA In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write. Moderate CVE-2018-18584 SUSE bug 1113038 SUSE bug 1113039 SUSE Linux Enterprise Server 11 SP3-TERADATA chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has '\0' as its first or second character (such as the "/\0" name). Low CVE-2018-18585 SUSE bug 1113038 SUSE bug 1113039 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. Low CVE-2018-18661 SUSE bug 1113672 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658. Moderate CVE-2018-18710 SUSE bug 1113751 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. Moderate CVE-2018-18849 SUSE bug 1114422 SUSE bug 1114423 SUSE Linux Enterprise Server 11 SP3-TERADATA Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors. Important CVE-2018-19131 SUSE bug 1113668 SUSE Linux Enterprise Server 11 SP3-TERADATA hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome. Moderate CVE-2018-19364 SUSE bug 1116717 SUSE bug 1116726 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized. Moderate CVE-2018-19407 SUSE bug 1116841 SUSE Linux Enterprise Server 11 SP3-TERADATA v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming. Low CVE-2018-19489 SUSE bug 1117275 SUSE bug 1117279 SUSE Linux Enterprise Server 11 SP3-TERADATA University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument. Important CVE-2018-19518 SUSE bug 1117107 SUSE Linux Enterprise Server 11 SP3-TERADATA Supportutils, before version 3.1-5.7.1, when run with command line argument -A searched the file system for a ndspath binary. If an attacker provides one at an arbitrary location it is executed with root privileges Important CVE-2018-19636 SUSE bug 1063385 SUSE bug 1117751 SUSE Linux Enterprise Server 11 SP3-TERADATA In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files. Low CVE-2018-19638 SUSE bug 1063385 SUSE bug 1118460 SUSE bug 1118462 SUSE bug 1118463 SUSE Linux Enterprise Server 11 SP3-TERADATA If supportutils before version 3.1-5.7.1 is run with -v to perform rpm verification and the attacker manages to manipulate the rpm listing (e.g. with CVE-2018-19638) he can execute arbitrary commands as root. Important CVE-2018-19639 SUSE bug 1063385 SUSE bug 1118460 SUSE bug 1118462 SUSE Linux Enterprise Server 11 SP3-TERADATA If the attacker manages to create files in the directory used to collect log files in supportutils before version 3.1-5.7.1 (e.g. with CVE-2018-19638) he can kill arbitrary processes on the local machine. Moderate CVE-2018-19640 SUSE bug 1063385 SUSE bug 1118463 SUSE Linux Enterprise Server 11 SP3-TERADATA The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption. Moderate CVE-2018-19665 SUSE bug 1117749 SUSE bug 1117756 SUSE Linux Enterprise Server 11 SP3-TERADATA There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. Moderate CVE-2018-19758 SUSE bug 1117954 SUSE bug 1125575 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c. Moderate CVE-2018-19824 SUSE bug 1118152 SUSE Linux Enterprise Server 11 SP3-TERADATA The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service (resource exhaustion caused by an infinite loop) via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero. Low CVE-2018-19840 SUSE bug 1120930 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes. Important CVE-2018-19961 SUSE bug 1115040 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones. Important CVE-2018-19962 SUSE bug 1115040 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation. Moderate CVE-2018-19965 SUSE bug 1115045 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595. Moderate CVE-2018-19966 SUSE bug 1115047 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Xen through 4.11.x on Intel x86 platforms allowing guest OS users to cause a denial of service (host OS hang) because Xen does not work around Intel's mishandling of certain HLE transactions associated with the KACQUIRE instruction prefix. Moderate CVE-2018-19967 SUSE bug 1114988 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space. Moderate CVE-2018-19985 SUSE bug 1120743 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution Important CVE-2018-20019 SUSE bug 1120118 SUSE bug 1123823 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution Important CVE-2018-20020 SUSE bug 1120116 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM Moderate CVE-2018-20021 SUSE bug 1120122 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR Moderate CVE-2018-20022 SUSE bug 1120120 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS. Moderate CVE-2018-20024 SUSE bug 1120121 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c. CVE-2018-20169 SUSE bug 1119714 SUSE Linux Enterprise Server 11 SP3-TERADATA SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. Moderate CVE-2018-20346 SUSE bug 1119687 SUSE bug 1120335 SUSE bug 1131576 SUSE bug 1131918 SUSE bug 1131919 SUSE bug 1148893 SUSE Linux Enterprise Server 11 SP3-TERADATA In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. CVE-2018-20467 SUSE bug 1120381 SUSE Linux Enterprise Server 11 SP3-TERADATA In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. Important CVE-2018-20685 SUSE bug 1121571 SUSE bug 1123220 SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete. Important CVE-2018-20748 SUSE bug 1120118 SUSE bug 1123823 SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete. Critical CVE-2018-20749 SUSE bug 1120117 SUSE bug 1123828 SUSE bug 1123832 SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete. Critical CVE-2018-20750 SUSE bug 1120117 SUSE bug 1123832 SUSE Linux Enterprise Server 11 SP3-TERADATA In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c. Moderate CVE-2018-20783 SUSE bug 1126713 SUSE bug 1127122 SUSE Linux Enterprise Server 11 SP3-TERADATA In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk. Important CVE-2018-20815 SUSE bug 1118900 SUSE bug 1130675 SUSE bug 1130680 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. Moderate CVE-2018-20836 SUSE bug 1134395 SUSE Linux Enterprise Server 11 SP3-TERADATA In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). Moderate CVE-2018-20843 SUSE bug 1139937 SUSE Linux Enterprise Server 11 SP3-TERADATA http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. Moderate CVE-2018-20852 SUSE bug 1141853 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure. Moderate CVE-2018-20976 SUSE bug 1146285 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Partition). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H). Important CVE-2018-2562 SUSE bug 1076369 SUSE bug 1078431 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Moderate CVE-2018-2579 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N). Moderate CVE-2018-2582 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: LDAP). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). Moderate CVE-2018-2588 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L). Moderate CVE-2018-2599 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: I18n). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded executes to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L). Moderate CVE-2018-2602 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2018-2603 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Moderate CVE-2018-2618 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2622 SUSE bug 1076369 SUSE bug 1078431 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2018-2633 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JGSS). Supported versions that are affected are Java SE: 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). Moderate CVE-2018-2634 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). Important CVE-2018-2637 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2640 SUSE bug 1076369 SUSE bug 1078431 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N). Moderate CVE-2018-2641 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u171 and 7u161; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2018-2657 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). Moderate CVE-2018-2663 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2665 SUSE bug 1076369 SUSE bug 1078431 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2668 SUSE bug 1076369 SUSE bug 1078431 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). Moderate CVE-2018-2677 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). Moderate CVE-2018-2678 SUSE bug 1076366 SUSE bug 1082810 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2018-2755 SUSE bug 1089987 SUSE bug 1090518 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2761 SUSE bug 1089987 SUSE bug 1090518 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Locking). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2771 SUSE bug 1089987 SUSE bug 1090518 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2773 SUSE bug 1089987 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2781 SUSE bug 1089987 SUSE bug 1090518 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u161 and 8u152; Java SE Embedded: 8u152; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). Important CVE-2018-2783 SUSE bug 1090022 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Moderate CVE-2018-2790 SUSE bug 1090023 SUSE bug 1093311 SUSE bug 1101637 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2018-2794 SUSE bug 1090024 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2018-2795 SUSE bug 1090025 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2018-2796 SUSE bug 1090026 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2018-2797 SUSE bug 1090027 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2018-2798 SUSE bug 1090028 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2018-2799 SUSE bug 1090029 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). Moderate CVE-2018-2800 SUSE bug 1090030 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). Moderate CVE-2018-2813 SUSE bug 1089987 SUSE bug 1090518 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2018-2814 SUSE bug 1090032 SUSE bug 1093311 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2817 SUSE bug 1089987 SUSE bug 1090518 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2818 SUSE bug 1089987 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-2819 SUSE bug 1089987 SUSE bug 1090518 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). Moderate CVE-2018-2940 SUSE bug 1101645 SUSE bug 1101656 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2018-2952 SUSE bug 1101645 SUSE bug 1101651 SUSE bug 1101656 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Moderate CVE-2018-2973 SUSE bug 1101645 SUSE bug 1101656 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). Moderate CVE-2018-3058 SUSE bug 1101676 SUSE bug 1116686 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.60 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-3063 SUSE bug 1101677 SUSE bug 1116686 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N). Low CVE-2018-3066 SUSE bug 1101678 SUSE bug 1116686 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-3070 SUSE bug 1101679 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H). Moderate CVE-2018-3081 SUSE bug 1101680 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-3133 SUSE bug 1112369 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N). Moderate CVE-2018-3136 SUSE bug 1112142 SUSE bug 1112143 SUSE bug 1112144 SUSE bug 1112146 SUSE bug 1112148 SUSE bug 1112152 SUSE bug 1116574 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). Moderate CVE-2018-3139 SUSE bug 1112142 SUSE bug 1112143 SUSE bug 1112144 SUSE bug 1112146 SUSE bug 1112148 SUSE bug 1112152 SUSE bug 1116574 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2018-3149 SUSE bug 1112142 SUSE bug 1112143 SUSE bug 1112144 SUSE bug 1112146 SUSE bug 1112148 SUSE bug 1112152 SUSE bug 1116574 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Important CVE-2018-3169 SUSE bug 1112142 SUSE bug 1112143 SUSE bug 1112144 SUSE bug 1112146 SUSE bug 1112148 SUSE bug 1112152 SUSE bug 1116574 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H). Moderate CVE-2018-3174 SUSE bug 1112368 SUSE bug 1116686 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). Moderate CVE-2018-3180 SUSE bug 1112142 SUSE bug 1112143 SUSE bug 1112144 SUSE bug 1112146 SUSE bug 1112147 SUSE bug 1112148 SUSE bug 1112152 SUSE bug 1116574 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Moderate CVE-2018-3214 SUSE bug 1112142 SUSE bug 1112143 SUSE bug 1112144 SUSE bug 1112146 SUSE bug 1112148 SUSE bug 1112152 SUSE bug 1116574 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Storage Engines). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2018-3282 SUSE bug 1112432 SUSE bug 1116686 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. Moderate CVE-2018-3620 SUSE bug 1087078 SUSE bug 1087081 SUSE bug 1089343 SUSE bug 1090340 SUSE bug 1091107 SUSE bug 1099306 SUSE bug 1104894 SUSE bug 1106631 SUSE bug 1111368 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. Moderate CVE-2018-3639 SUSE bug 0 SUSE bug 1074701 SUSE bug 1085235 SUSE bug 1085308 SUSE bug 1087078 SUSE bug 1087082 SUSE bug 1094912 SUSE bug 1100394 SUSE bug 1102640 SUSE bug 1105412 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka Rogue System Register Read (RSRE), Variant 3a. Moderate CVE-2018-3640 SUSE bug 0 SUSE bug 1074701 SUSE bug 1087078 SUSE bug 1087083 SUSE bug 1094912 SUSE bug 1100394 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. Moderate CVE-2018-3646 SUSE bug 1087078 SUSE bug 1087081 SUSE bug 1089343 SUSE bug 1091107 SUSE bug 1099306 SUSE bug 1104365 SUSE bug 1104894 SUSE bug 1106548 SUSE bug 1113534 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. Moderate CVE-2018-3665 SUSE bug 1087078 SUSE bug 1087082 SUSE bug 1087086 SUSE bug 1090338 SUSE bug 1095241 SUSE bug 1095242 SUSE bug 1096740 SUSE bug 1100091 SUSE bug 1100555 SUSE Linux Enterprise Server 11 SP3-TERADATA In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions. Important CVE-2018-4180 SUSE bug 1096405 SUSE bug 1096408 SUSE Linux Enterprise Server 11 SP3-TERADATA In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions. Moderate CVE-2018-4181 SUSE bug 1096406 SUSE bug 1096408 SUSE Linux Enterprise Server 11 SP3-TERADATA In macOS High Sierra before 10.13.5, an access issue was addressed with additional sandbox restrictions on CUPS. Moderate CVE-2018-4182 SUSE bug 1096407 SUSE bug 1096408 SUSE Linux Enterprise Server 11 SP3-TERADATA In macOS High Sierra before 10.13.5, an access issue was addressed with additional sandbox restrictions. Moderate CVE-2018-4183 SUSE bug 1096407 SUSE bug 1096408 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs were reported in Firefox 57 and Firefox ESR 52.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. Important CVE-2018-5089 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 52.6 and Firefox < 58. Important CVE-2018-5091 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 8 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. Important CVE-2018-5095 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur while editing events in form elements on a page, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 52.6 and Thunderbird < 52.6. Important CVE-2018-5096 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. Important CVE-2018-5097 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur when form input elements, focus, and selections are manipulated by script content. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. Important CVE-2018-5098 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur when the widget listener is holding strong references to browser objects that have previously been freed, resulting in a potentially exploitable crash when these references are used. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. Important CVE-2018-5099 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur when manipulating HTML media elements with media streams, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. Important CVE-2018-5102 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur during mouse event handling due to issues with multiprocess support. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. Important CVE-2018-5103 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur during font face manipulation when a font face is freed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. Important CVE-2018-5104 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displayed as a location, which can mislead users to believe they are on a different site than the one loaded. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58. Moderate CVE-2018-5117 SUSE bug 1077291 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs were reported in Firefox 58 and Firefox ESR 52.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59. Important CVE-2018-5125 SUSE bug 1085130 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow can occur when manipulating the SVG "animatedPathSegList" through script. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59. Important CVE-2018-5127 SUSE bug 1085130 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59. Important CVE-2018-5129 SUSE bug 1085130 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59. Important CVE-2018-5130 SUSE bug 1085130 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a website being accessible to users if they share a common profile while browsing. This vulnerability affects Firefox ESR < 52.7 and Firefox < 59. Moderate CVE-2018-5131 SUSE bug 1085130 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7. Moderate CVE-2018-5144 SUSE bug 1085130 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs were reported in Firefox ESR 52.6. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7. Important CVE-2018-5145 SUSE bug 1085130 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7. Important CVE-2018-5146 SUSE bug 1085671 SUSE bug 1085687 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The libtremor library has the same flaw as CVE-2018-5146. This library is used by Firefox in place of libvorbis on Android and ARM platforms. This vulnerability affects Firefox ESR < 52.7.2 and Firefox < 59.0.1. Important CVE-2018-5147 SUSE bug 1085671 SUSE bug 1085687 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 52.7.3 and Firefox < 59.0.2. Important CVE-2018-5148 SUSE bug 1087059 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs were reported in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. Important CVE-2018-5150 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. Important CVE-2018-5154 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur while adjusting layout during SVG animations with text paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. Important CVE-2018-5155 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occurring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash. This vulnerability affects Thunderbird < 60, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Important CVE-2018-5156 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60. Important CVE-2018-5157 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60. Important CVE-2018-5158 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable by web content. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. Important CVE-2018-5159 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. Important CVE-2018-5168 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the "SEE_MASK_FLAG_NO_UI" flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won't prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen. Note: this issue only affects Windows 10 users running the April 2018 update or later. It does not affect other Windows users or other operating systems. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8. Important CVE-2018-5174 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. This vulnerability affects Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox ESR < 52.8. Important CVE-2018-5178 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla developers backported selected changes in the Skia library. These changes correct memory corruption issues including invalid buffer reads and writes during graphic operations. This vulnerability affects Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox ESR < 52.8. Important CVE-2018-5183 SUSE bug 1092548 SUSE bug 1092611 SUSE bug 1093969 SUSE bug 1093970 SUSE bug 1093971 SUSE bug 1093972 SUSE bug 1093973 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ESR 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. Important CVE-2018-5188 SUSE bug 1098998 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadPATTERNImage in coders/pattern.c. Moderate CVE-2018-5246 SUSE bug 1074973 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadRLAImage in coders/rla.c. Moderate CVE-2018-5247 SUSE bug 1074969 SUSE bug 1074975 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel through 4.14.13, the rds_message_alloc_sgs() function does not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c). Moderate CVE-2018-5332 SUSE bug 1075621 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference. Moderate CVE-2018-5333 SUSE bug 1075617 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by correcting the signature timestamp bounds checks. Moderate CVE-2018-5334 SUSE bug 1075737 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the WCP dissector could crash. This was addressed in epan/dissectors/packet-wcp.c by validating the available buffer length. Moderate CVE-2018-5335 SUSE bug 1075738 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the JSON, XML, NTP, XMPP, and GDB dissectors could crash. This was addressed in epan/tvbparse.c by limiting the recursion depth. Moderate CVE-2018-5336 SUSE bug 1075739 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash. Moderate CVE-2018-5378 SUSE bug 1079798 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code. Important CVE-2018-5379 SUSE bug 1079799 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input. Moderate CVE-2018-5380 SUSE bug 1079800 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service. Moderate CVE-2018-5381 SUSE bug 1079801 SUSE Linux Enterprise Server 11 SP3-TERADATA Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. Important CVE-2018-5390 SUSE bug 1087082 SUSE bug 1102340 SUSE bug 1102682 SUSE bug 1103097 SUSE bug 1144973 SUSE bug 1149475 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. Moderate CVE-2018-5407 SUSE bug 1113534 SUSE bug 1116195 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation. Moderate CVE-2018-5683 SUSE bug 1076114 SUSE bug 1076116 SUSE Linux Enterprise Server 11 SP3-TERADATA In GraphicsMagick 1.3.27, there is an infinite loop and application hang in the ReadBMPImage function (coders/bmp.c). Remote attackers could leverage this vulnerability to cause a denial of service via an image file with a crafted bit-field mask value. Important CVE-2018-5685 SUSE bug 1075939 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx. Moderate CVE-2018-5711 SUSE bug 1076391 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file. Moderate CVE-2018-5712 SUSE bug 1076220 SUSE bug 1076391 SUSE bug 1091362 SUSE Linux Enterprise Server 11 SP3-TERADATA MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module. Moderate CVE-2018-5729 SUSE bug 1076211 SUSE bug 1083926 SUSE bug 1122468 SUSE Linux Enterprise Server 11 SP3-TERADATA MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN. Moderate CVE-2018-5730 SUSE bug 1076211 SUSE bug 1083927 SUSE bug 1122468 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Important CVE-2018-5732 SUSE bug 1083302 SUSE bug 1085417 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A malicious client which is allowed to send very large amounts of traffic (billions of packets) to a DHCP server can eventually overflow a 32-bit reference counter, potentially causing dhcpd to crash. Affects ISC DHCP 4.1.0 -> 4.1-ESV-R15, 4.2.0 -> 4.2.8, 4.3.0 -> 4.3.6, 4.4.0. Moderate CVE-2018-5733 SUSE bug 1083303 SUSE bug 1085417 SUSE Linux Enterprise Server 11 SP3-TERADATA "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2. Important CVE-2018-5740 SUSE bug 1104129 SUSE bug 1148887 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Important CVE-2018-5743 SUSE bug 1133185 SUSE bug 1148887 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2018-5745 SUSE bug 1126068 SUSE bug 1148887 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply. Low CVE-2018-5748 SUSE bug 1076500 SUSE bug 1083625 SUSE Linux Enterprise Server 11 SP3-TERADATA The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism. Moderate CVE-2018-5764 SUSE bug 1076503 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the "_sctp_make_chunk()" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash. Moderate CVE-2018-5803 SUSE bug 1083900 SUSE bug 1087082 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets. Moderate CVE-2018-5814 SUSE bug 1087082 SUSE bug 1096480 SUSE bug 1133319 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL. Moderate CVE-2018-5950 SUSE bug 1077358 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Important CVE-2018-6126 SUSE bug 1095163 SUSE bug 1096449 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution. Critical CVE-2018-6307 SUSE bug 1120115 SUSE Linux Enterprise Server 11 SP3-TERADATA In the ReadDCMImage function in coders/dcm.c in ImageMagick before 7.0.7-23, each redmap, greenmap, and bluemap variable can be overwritten by a new pointer. The previous pointer is lost, which leads to a memory leak. This allows remote attackers to cause a denial of service. Moderate CVE-2018-6405 SUSE bug 1078433 SUSE bug 1095726 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. Moderate CVE-2018-6485 SUSE bug 1079036 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption. Moderate CVE-2018-6551 SUSE bug 1079036 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket. Low CVE-2018-6554 SUSE bug 1106509 SUSE bug 1106511 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket. Moderate CVE-2018-6555 SUSE bug 1106509 SUSE bug 1106511 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure. Important CVE-2018-6798 SUSE bug 1082233 SUSE bug 1106717 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count. Moderate CVE-2018-6913 SUSE bug 1082216 SUSE bug 1106717 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value. Moderate CVE-2018-6927 SUSE bug 1080757 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. Low CVE-2018-7170 SUSE bug 1082210 SUSE bug 1083424 SUSE bug 1098531 SUSE Linux Enterprise Server 11 SP3-TERADATA The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. Moderate CVE-2018-7182 SUSE bug 1082210 SUSE bug 1083426 SUSE Linux Enterprise Server 11 SP3-TERADATA Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array. Moderate CVE-2018-7183 SUSE bug 1082210 SUSE bug 1083417 SUSE Linux Enterprise Server 11 SP3-TERADATA ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704. Low CVE-2018-7184 SUSE bug 1082210 SUSE bug 1083422 SUSE Linux Enterprise Server 11 SP3-TERADATA The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association. Low CVE-2018-7185 SUSE bug 1082210 SUSE bug 1083420 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. Important CVE-2018-7225 SUSE bug 1081493 SUSE bug 1090647 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the SIGCOMP protocol dissector could crash. This was addressed in epan/dissectors/packet-sigcomp.c by validating operand offsets. Moderate CVE-2018-7320 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-thrift.c had a large loop that was addressed by not proceeding with dissection after encountering an unexpected type. Moderate CVE-2018-7321 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-dcm.c had an infinite loop that was addressed by checking for integer wraparound. Moderate CVE-2018-7322 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-wccp.c had a large loop that was addressed by ensuring that a calculated length was monotonically increasing. Moderate CVE-2018-7323 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-sccp.c had an infinite loop that was addressed by using a correct integer data type. Moderate CVE-2018-7324 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-rpki-rtr.c had an infinite loop that was addressed by validating a length field. Moderate CVE-2018-7325 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-lltd.c had an infinite loop that was addressed by using a correct integer data type. Moderate CVE-2018-7326 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-openflow_v6.c had an infinite loop that was addressed by validating property lengths. Moderate CVE-2018-7327 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-usb.c had an infinite loop that was addressed by rejecting short frame header lengths. Moderate CVE-2018-7328 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-s7comm.c had an infinite loop that was addressed by correcting off-by-one errors. Moderate CVE-2018-7329 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-thread.c had an infinite loop that was addressed by using a correct integer data type. Moderate CVE-2018-7330 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-ber.c had an infinite loop that was addressed by validating a length. Moderate CVE-2018-7331 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-reload.c had an infinite loop that was addressed by validating a length. Moderate CVE-2018-7332 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-rpcrdma.c had an infinite loop that was addressed by validating a chunk size. Moderate CVE-2018-7333 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the UMTS MAC dissector could crash. This was addressed in epan/dissectors/packet-umts_mac.c by rejecting a certain reserved value. Moderate CVE-2018-7334 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the IEEE 802.11 dissector could crash. This was addressed in epan/crypt/airpdcap.c by rejecting lengths that are too small. Moderate CVE-2018-7335 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the FCP protocol dissector could crash. This was addressed in epan/dissectors/packet-fcp.c by checking for a NULL pointer. Moderate CVE-2018-7336 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.4, the DOCSIS protocol dissector could crash. This was addressed in plugins/docsis/packet-docsis.c by removing the recursive algorithm that had been used for concatenated PDUs. Moderate CVE-2018-7337 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the IPMI dissector could crash. This was addressed in epan/dissectors/packet-ipmi-picmg.c by adding support for crafted packets that lack an IPMI header. Moderate CVE-2018-7417 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the SIGCOMP dissector could crash. This was addressed in epan/dissectors/packet-sigcomp.c by correcting the extraction of the length value. Moderate CVE-2018-7418 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the NBAP dissector could crash. This was addressed in epan/dissectors/asn1/nbap/nbap.cnf by ensuring DCH ID initialization. Moderate CVE-2018-7419 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the pcapng file parser could crash. This was addressed in wiretap/pcapng.c by adding a block-size check for sysdig event blocks. Moderate CVE-2018-7420 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the DMP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-dmp.c by correctly supporting a bounded number of Security Categories for a DMP Security Classification. Moderate CVE-2018-7421 SUSE bug 1082692 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-23 Q16 does not properly validate the amount of image data in a file, which allows remote attackers to cause a denial of service (memory allocation failure in the AcquireMagickMemory function in MagickCore/memory.c). Low CVE-2018-7443 SUSE bug 1075944 SUSE bug 1082792 SUSE Linux Enterprise Server 11 SP3-TERADATA A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) Moderate CVE-2018-7456 SUSE bug 1074317 SUSE bug 1082825 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST. Moderate CVE-2018-7492 SUSE bug 1082962 SUSE Linux Enterprise Server 11 SP3-LTSS An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (host OS CPU hang) via non-preemptable L3/L4 pagetable freeing. Moderate CVE-2018-7540 SUSE bug 1080635 SUSE Linux Enterprise Server 11 SP3-LTSS An issue was discovered in Xen through 4.10.x allowing guest OS users to cause a denial of service (hypervisor crash) or gain privileges by triggering a grant-table transition from v2 to v1. Important CVE-2018-7541 SUSE bug 1080662 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. Important CVE-2018-7550 SUSE bug 1083291 SUSE bug 1083292 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user. Important CVE-2018-7566 SUSE bug 1083483 SUSE bug 1083488 SUSE bug 1087082 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string. Moderate CVE-2018-7584 SUSE bug 1083639 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in Exempi through 2.4.4. A certain case of a 0xffffffff length is mishandled in XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp, leading to a heap-based buffer over-read in the PSD_MetaHandler::CacheFileData() function. Low CVE-2018-7730 SUSE bug 1085295 SUSE bug 1085585 SUSE bug 1103718 SUSE Linux Enterprise Server 11 SP3-TERADATA transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step. Important CVE-2018-7750 SUSE bug 1085276 SUSE bug 1111151 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. Moderate CVE-2018-7757 SUSE bug 1084536 SUSE bug 1087082 SUSE bug 1087209 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-TERADATA When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability. Moderate CVE-2018-8019 SUSE bug 1103348 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability. Important CVE-2018-8020 SUSE bug 1103347 SUSE Linux Enterprise Server 11 SP3-TERADATA Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. Moderate CVE-2018-8032 SUSE bug 1103658 SUSE Linux Enterprise Server 11 SP3-TERADATA In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c. Low CVE-2018-8740 SUSE bug 1085790 SUSE bug 1131919 SUSE Linux Enterprise Server 11 SP3-TERADATA WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file. Low CVE-2018-8804 SUSE bug 1086011 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through 4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code. Moderate CVE-2018-8822 SUSE bug 1086162 SUSE bug 1091815 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. Moderate CVE-2018-8897 SUSE bug 1087078 SUSE bug 1087088 SUSE bug 1090368 SUSE bug 1090820 SUSE bug 1090869 SUSE bug 1092497 SUSE bug 1098813 SUSE bug 1100835 SUSE Linux Enterprise Server 11 SP3-TERADATA In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. Moderate CVE-2018-8905 SUSE bug 1086408 SUSE Linux Enterprise Server 11 SP3-TERADATA The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-26 Q16 does not properly restrict memory allocation, leading to a heap-based buffer over-read. Low CVE-2018-8960 SUSE bug 1086782 SUSE Linux Enterprise Server 11 SP3-TERADATA In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage function of coders/png.c. Remote attackers could leverage this vulnerability to cause a crash and denial of service via a crafted mng file. Low CVE-2018-9018 SUSE bug 1086773 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the LWAPP dissector could crash. This was addressed in epan/dissectors/packet-lwapp.c by limiting the encapsulation levels to restrict the recursion depth. Moderate CVE-2018-9256 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the MP4 dissector could crash. This was addressed in epan/dissectors/file-mp4.c by restricting the box recursion depth. Moderate CVE-2018-9259 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the IEEE 802.15.4 dissector could crash. This was addressed in epan/dissectors/packet-ieee802154.c by ensuring that an allocation step occurs. Moderate CVE-2018-9260 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the NBAP dissector could crash with a large loop that ends with a heap-based buffer overflow. This was addressed in epan/dissectors/packet-nbap.c by prohibiting the self-linking of DCH-IDs. Moderate CVE-2018-9261 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the VLAN dissector could crash. This was addressed in epan/dissectors/packet-vlan.c by limiting VLAN tag nesting to restrict the recursion depth. Moderate CVE-2018-9262 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the Kerberos dissector could crash. This was addressed in epan/dissectors/packet-kerberos.c by ensuring a nonzero key length. Moderate CVE-2018-9263 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the ADB dissector could crash with a heap-based buffer overflow. This was addressed in epan/dissectors/packet-adb.c by checking for a length inconsistency. Moderate CVE-2018-9264 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-tn3270.c has a memory leak. Moderate CVE-2018-9265 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-isup.c has a memory leak. Moderate CVE-2018-9266 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-lapd.c has a memory leak. Moderate CVE-2018-9267 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-smb2.c has a memory leak. Moderate CVE-2018-9268 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-giop.c has a memory leak. Moderate CVE-2018-9269 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/oids.c has a memory leak. Moderate CVE-2018-9270 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-multipart.c has a memory leak. Moderate CVE-2018-9271 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-h223.c has a memory leak. Moderate CVE-2018-9272 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-pcp.c has a memory leak. Moderate CVE-2018-9273 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-TERADATA In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ui/failure_message.c has a memory leak. Moderate CVE-2018-9274 SUSE bug 1088200 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-71361580. Moderate CVE-2018-9516 SUSE bug 1108498 SUSE bug 1123161 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel. Important CVE-2018-9568 SUSE bug 1118319 SUSE bug 1118320 SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. Moderate CVE-2019-0217 SUSE bug 1131239 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. Moderate CVE-2019-0220 SUSE bug 1131241 SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. Important CVE-2019-10092 SUSE bug 1145740 SUSE Linux Enterprise Server 11 SP3-TERADATA In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. Important CVE-2019-10098 SUSE bug 1145738 SUSE Linux Enterprise Server 11 SP3-TERADATA Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Possible code execution. The component is: backend/tiff/tiff-document.c. The attack vector is: Victim must open a crafted PDF file. The issue occurs because of an incorrect integer overflow protection mechanism in tiff_document_render and tiff_document_get_thumbnail. Important CVE-2019-1010006 SUSE bug 1141619 SUSE Linux Enterprise Server 11 SP3-TERADATA GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet. Important CVE-2019-1010180 SUSE bug 1142772 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker. Moderate CVE-2019-10130 SUSE bug 1134689 SUSE Linux Enterprise Server 11 SP3-TERADATA An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program. Moderate CVE-2019-10131 SUSE bug 1134075 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. Moderate CVE-2019-10136 SUSE bug 1136480 SUSE Linux Enterprise Server 11 SP3-TERADATA A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. Critical CVE-2019-10160 SUSE bug 1138459 SUSE Linux Enterprise Server 11 SP3-TERADATA It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs. Important CVE-2019-10161 SUSE bug 1138301 SUSE Linux Enterprise Server 11 SP3-TERADATA PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account. Important CVE-2019-10164 SUSE bug 1138034 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Important CVE-2019-10208 SUSE bug 1145092 SUSE Linux Enterprise Server 11 SP3-TERADATA In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detects this case and rejects the attempted class load. Moderate CVE-2019-10245 SUSE bug 1134718 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file. CVE-2019-10650 SUSE bug 1131317 SUSE Linux Enterprise Server 11 SP3-TERADATA In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the ReadMNGImage function of coders/png.c, which allows attackers to cause a denial of service or information disclosure via an image colormap. Moderate CVE-2019-11007 SUSE bug 1132060 SUSE Linux Enterprise Server 11 SP3-TERADATA In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the function ReadXWDImage of coders/xwd.c, which allows attackers to cause a denial of service or information disclosure via a crafted image file. Moderate CVE-2019-11009 SUSE bug 1132053 SUSE bug 1133202 SUSE bug 1133203 SUSE Linux Enterprise Server 11 SP3-TERADATA When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash. Moderate CVE-2019-11034 SUSE bug 1132838 SUSE Linux Enterprise Server 11 SP3-TERADATA When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash. Moderate CVE-2019-11035 SUSE bug 1132837 SUSE Linux Enterprise Server 11 SP3-TERADATA When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash. Moderate CVE-2019-11036 SUSE bug 1134322 SUSE Linux Enterprise Server 11 SP3-TERADATA When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. Moderate CVE-2019-11038 SUSE bug 1140118 SUSE bug 1140120 SUSE Linux Enterprise Server 11 SP3-TERADATA Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash. Moderate CVE-2019-11039 SUSE bug 1138173 SUSE Linux Enterprise Server 11 SP3-TERADATA When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. Moderate CVE-2019-11040 SUSE bug 1138172 SUSE Linux Enterprise Server 11 SP3-TERADATA When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. Important CVE-2019-11041 SUSE bug 1146360 SUSE Linux Enterprise Server 11 SP3-TERADATA When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. Moderate CVE-2019-11042 SUSE bug 1145095 SUSE Linux Enterprise Server 11 SP3-TERADATA libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. Moderate CVE-2019-11068 SUSE bug 1132160 SUSE Linux Enterprise Server 11 SP3-TERADATA Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf Moderate CVE-2019-11091 SUSE bug 1103186 SUSE bug 1111331 SUSE bug 1132686 SUSE bug 1133319 SUSE bug 1135394 SUSE Linux Enterprise Server 11 SP3-TERADATA The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. CVE-2019-11190 SUSE bug 1131543 SUSE bug 1132374 SUSE bug 1132472 SUSE Linux Enterprise Server 11 SP3-TERADATA An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1071, CVE-2019-1073. Moderate CVE-2019-1125 SUSE bug 1139358 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in atftpd in atftp 0.7.1. A remote attacker may send a crafted packet triggering a stack-based buffer overflow due to an insecurely implemented strncpy call. The vulnerability is triggered by sending an error packet of 3 bytes or fewer. There are multiple instances of this vulnerable strncpy pattern within the code base, specifically within tftpd_file.c, tftp_file.c, tftpd_mtftp.c, and tftp_mtftp.c. Critical CVE-2019-11365 SUSE bug 1133114 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in atftpd in atftp 0.7.1. It does not lock the thread_list_mutex mutex before assigning the current thread data structure. As a result, the daemon is vulnerable to a denial of service attack due to a NULL pointer dereference. If thread_data is NULL when assigned to current, and modified by another thread before a certain tftpd_list.c check, there is a crash when dereferencing current->next. Moderate CVE-2019-11366 SUSE bug 1133145 SUSE Linux Enterprise Server 11 SP3-TERADATA The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files. Moderate CVE-2019-11459 SUSE bug 1133037 SUSE Linux Enterprise Server 11 SP3-TERADATA The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file. Moderate CVE-2019-11470 SUSE bug 1133205 SUSE Linux Enterprise Server 11 SP3-TERADATA ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first. Moderate CVE-2019-11472 SUSE bug 1133202 SUSE bug 1133203 SUSE bug 1133204 SUSE bug 1146213 SUSE Linux Enterprise Server 11 SP3-TERADATA Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff. Important CVE-2019-11477 SUSE bug 1132686 SUSE bug 1137586 SUSE bug 1142129 SUSE Linux Enterprise Server 11 SP3-TERADATA Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e. Important CVE-2019-11478 SUSE bug 1132686 SUSE bug 1137586 SUSE bug 1142129 SUSE Linux Enterprise Server 11 SP3-TERADATA Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363. Important CVE-2019-11479 SUSE bug 1132686 SUSE bug 1137586 SUSE bug 1142129 SUSE Linux Enterprise Server 11 SP3-TERADATA The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions. Important CVE-2019-11486 SUSE bug 1133188 SUSE Linux Enterprise Server 11 SP3-TERADATA In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WritePDBImage of coders/pdb.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to MagickBitStreamMSBWrite in magick/bit_stream.c. Important CVE-2019-11505 SUSE bug 1133501 SUSE Linux Enterprise Server 11 SP3-TERADATA In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WriteMATLABImage of coders/mat.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to ExportRedQuantumType in magick/export.c. Important CVE-2019-11506 SUSE bug 1133498 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. Moderate CVE-2019-11597 SUSE bug 1138464 SUSE bug 1146211 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c. Moderate CVE-2019-11598 SUSE bug 1136732 SUSE Linux Enterprise Server 11 SP3-TERADATA A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2. Important CVE-2019-11707 SUSE bug 1138614 SUSE Linux Enterprise Server 11 SP3-TERADATA Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. Important CVE-2019-11708 SUSE bug 1138872 SUSE Linux Enterprise Server 11 SP3-TERADATA Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-11709 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-11711 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-11712 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-11713 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-11715 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-11717 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-11719 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-11729 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-11730 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2019-11740 SUSE bug 1149299 SUSE bug 1149323 SUSE bug 1149324 SUSE bug 1150940 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2019-11742 SUSE bug 1149303 SUSE bug 1149323 SUSE bug 1149324 SUSE bug 1150940 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2019-11743 SUSE bug 1149298 SUSE bug 1149323 SUSE bug 1149324 SUSE bug 1150940 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2019-11744 SUSE bug 1149304 SUSE bug 1149323 SUSE bug 1149324 SUSE bug 1150940 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2019-11746 SUSE bug 1149297 SUSE bug 1149323 SUSE bug 1149324 SUSE bug 1150940 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2019-11752 SUSE bug 1149296 SUSE bug 1149323 SUSE bug 1149324 SUSE bug 1150940 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2019-11753 SUSE bug 1149295 SUSE bug 1149323 SUSE bug 1149324 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free. Low CVE-2019-11810 SUSE bug 1134399 SUSE Linux Enterprise Server 11 SP3-TERADATA The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\0' character. Moderate CVE-2019-11884 SUSE bug 1134848 SUSE bug 1139868 SUSE Linux Enterprise Server 11 SP3-TERADATA interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference. Low CVE-2019-12155 SUSE bug 1135902 SUSE bug 1135905 SUSE Linux Enterprise Server 11 SP3-TERADATA file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. Important CVE-2019-12450 SUSE bug 1137001 SUSE bug 1139959 SUSE bug 1141771 SUSE bug 1142126 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). Moderate CVE-2019-12614 SUSE bug 1137194 SUSE Linux Enterprise Server 11 SP3-TERADATA getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim. Important CVE-2019-12735 SUSE bug 1137443 SUSE Linux Enterprise Server 11 SP3-TERADATA dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. Important CVE-2019-12749 SUSE bug 1137832 SUSE Linux Enterprise Server 11 SP3-TERADATA BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. Important CVE-2019-12900 SUSE bug 1139083 SUSE bug 1149458 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c. Moderate CVE-2019-12975 SUSE bug 1140106 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in coders/pcl.c. Moderate CVE-2019-12976 SUSE bug 1140110 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c. Moderate CVE-2019-12979 SUSE bug 1139886 SUSE Linux Enterprise Server 11 SP3-TERADATA Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack. Moderate CVE-2019-13050 SUSE bug 1141093 SUSE bug 1149038 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations. Important CVE-2019-13132 SUSE bug 1140255 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c. Moderate CVE-2019-13133 SUSE bug 1140100 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c. Moderate CVE-2019-13134 SUSE bug 1140102 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c. Moderate CVE-2019-13135 SUSE bug 1140103 SUSE Linux Enterprise Server 11 SP3-TERADATA qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. Moderate CVE-2019-13164 SUSE bug 1140402 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a width of zero is mishandled. Moderate CVE-2019-13295 SUSE bug 1140664 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a height of zero is mishandled. Moderate CVE-2019-13297 SUSE bug 1140666 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error. Moderate CVE-2019-13301 SUSE bug 1140554 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error. Low CVE-2019-13311 SUSE bug 1140513 SUSE bug 1140554 SUSE Linux Enterprise Server 11 SP3-TERADATA The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter. Moderate CVE-2019-13345 SUSE bug 1140738 SUSE Linux Enterprise Server 11 SP3-TERADATA ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c. Moderate CVE-2019-13454 SUSE bug 1141171 SUSE Linux Enterprise Server 11 SP3-TERADATA It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. Moderate CVE-2019-13627 SUSE bug 1148987 SUSE Linux Enterprise Server 11 SP3-TERADATA In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages. Moderate CVE-2019-13631 SUSE bug 1142023 SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default. Moderate CVE-2019-14283 SUSE bug 1143191 SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default. Moderate CVE-2019-14284 SUSE bug 1143189 SUSE bug 1143191 SUSE Linux Enterprise Server 11 SP3-TERADATA ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. Important CVE-2019-14378 SUSE bug 1143794 SUSE bug 1143797 SUSE Linux Enterprise Server 11 SP3-TERADATA A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host. Important CVE-2019-14835 SUSE bug 1150112 SUSE Linux Enterprise Server 11 SP3-TERADATA check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion. Moderate CVE-2019-15118 SUSE bug 1145922 SUSE Linux Enterprise Server 11 SP3-TERADATA In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file. Moderate CVE-2019-15142 SUSE bug 1146702 SUSE Linux Enterprise Server 11 SP3-TERADATA In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp. Moderate CVE-2019-15143 SUSE bug 1146569 SUSE Linux Enterprise Server 11 SP3-TERADATA In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h. Moderate CVE-2019-15144 SUSE bug 1146571 SUSE Linux Enterprise Server 11 SP3-TERADATA DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h. Moderate CVE-2019-15145 SUSE bug 1146572 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. Moderate CVE-2019-15212 SUSE bug 1146391 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. Moderate CVE-2019-15216 SUSE bug 1146361 SUSE bug 1146519 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. Moderate CVE-2019-15217 SUSE bug 1146519 SUSE bug 1146547 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. Moderate CVE-2019-15219 SUSE bug 1146519 SUSE bug 1146524 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c. Important CVE-2019-15292 SUSE bug 1146678 SUSE Linux Enterprise Server 11 SP3-TERADATA Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). Moderate CVE-2019-1547 SUSE bug 1150003 SUSE Linux Enterprise Server 11 SP3-TERADATA If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). Moderate CVE-2019-1559 SUSE bug 1127080 SUSE bug 1130039 SUSE bug 1141798 SUSE Linux Enterprise Server 11 SP3-TERADATA In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). Moderate CVE-2019-1563 SUSE bug 1150250 SUSE Linux Enterprise Server 11 SP3-TERADATA A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped. Critical CVE-2019-15902 SUSE bug 1149376 SUSE Linux Enterprise Server 11 SP3-TERADATA In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. Moderate CVE-2019-15903 SUSE bug 1149429 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function build_audio_procunit in the file sound/usb/mixer.c. Moderate CVE-2019-15927 SUSE bug 1149522 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability in the Portable Document Format (PDF) scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of proper data handling mechanisms within the device buffer while indexing remaining file data on an affected device. An attacker could exploit this vulnerability by sending crafted PDF files to an affected device. A successful exploit could allow the attacker to cause a heap buffer out-of-bounds read condition, resulting in a crash that could result in a denial of service condition on an affected device. Moderate CVE-2019-1787 SUSE bug 1130721 SUSE Linux Enterprise Server 11 SP3-TERADATA A vulnerability in the Object Linking & Embedding (OLE2) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a lack of proper input and validation checking mechanisms for OLE2 files sent an affected device. An attacker could exploit this vulnerability by sending malformed OLE2 files to the device running an affected version ClamAV Software. An exploit could allow the attacker to cause an out-of-bounds write condition, resulting in a crash that could result in a denial of service condition on an affected device. Moderate CVE-2019-1788 SUSE bug 1130721 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2019-1789 SUSE bug 1130721 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). Moderate CVE-2019-2422 SUSE bug 1122293 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Moderate CVE-2019-2602 SUSE bug 1132728 SUSE bug 1134718 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Moderate CVE-2019-2684 SUSE bug 1132732 SUSE bug 1134718 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). CVE-2019-2697 SUSE bug 1132734 SUSE bug 1134718 SUSE Linux Enterprise Server 11 SP3-TERADATA Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). CVE-2019-2698 SUSE bug 1132729 SUSE bug 1134718 SUSE Linux Enterprise Server 11 SP3-TERADATA A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. Moderate CVE-2019-3459 SUSE bug 1120758 SUSE Linux Enterprise Server 11 SP3-TERADATA A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1. Moderate CVE-2019-3460 SUSE bug 1120758 SUSE Linux Enterprise Server 11 SP3-TERADATA Openwsman, versions up to and including 2.6.9, are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to openwsman server. Important CVE-2019-3816 SUSE bug 1122623 SUSE Linux Enterprise Server 11 SP3-TERADATA Openwsman, versions up to and including 2.6.9, are vulnerable to infinite loop in process_connection() when parsing specially crafted HTTP requests. A remote, unauthenticated attacker can exploit this vulnerability by sending malicious HTTP request to cause denial of service to openwsman server. Important CVE-2019-3833 SUSE bug 1122623 SUSE Linux Enterprise Server 11 SP3-TERADATA It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Important CVE-2019-3838 SUSE bug 1129186 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network. Important CVE-2019-3846 SUSE bug 1136424 SUSE bug 1136446 SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. Moderate CVE-2019-3855 SUSE bug 1128471 SUSE bug 1134329 SUSE bug 1135434 SUSE bug 1141850 SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. Moderate CVE-2019-3856 SUSE bug 1128472 SUSE bug 1135434 SUSE Linux Enterprise Server 11 SP3-TERADATA An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. Moderate CVE-2019-3857 SUSE bug 1128474 SUSE bug 1135434 SUSE Linux Enterprise Server 11 SP3-TERADATA An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. Moderate CVE-2019-3858 SUSE bug 1128476 SUSE bug 1135434 SUSE Linux Enterprise Server 11 SP3-TERADATA An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. Moderate CVE-2019-3859 SUSE bug 1128480 SUSE bug 1130103 SUSE bug 1135434 SUSE Linux Enterprise Server 11 SP3-TERADATA An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. Moderate CVE-2019-3860 SUSE bug 1128481 SUSE bug 1135434 SUSE bug 1136570 SUSE Linux Enterprise Server 11 SP3-TERADATA An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. Moderate CVE-2019-3861 SUSE bug 1128490 SUSE bug 1135434 SUSE Linux Enterprise Server 11 SP3-TERADATA An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. Moderate CVE-2019-3862 SUSE bug 1128492 SUSE bug 1135434 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. Moderate CVE-2019-3863 SUSE bug 1128493 SUSE bug 1130103 SUSE bug 1135434 SUSE Linux Enterprise Server 11 SP3-TERADATA A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service API. An unprivileged attacker could use this flaw to create a new registry hive file anywhere they have unix permissions which could lead to creation of a new file in the Samba share. Versions before 4.8.11, 4.9.6 and 4.10.2 are vulnerable. Moderate CVE-2019-3880 SUSE bug 1131060 SUSE bug 1139519 SUSE Linux Enterprise Server 11 SP3-TERADATA An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block. CVE-2019-3886 SUSE bug 1131595 SUSE bug 1133150 SUSE bug 1138301 SUSE Linux Enterprise Server 11 SP3-TERADATA A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS). Important CVE-2019-3896 SUSE bug 1138943 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Important CVE-2019-5010 SUSE bug 1122191 SUSE bug 1126909 SUSE Linux Enterprise Server 11 SP3-TERADATA A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. Important CVE-2019-5436 SUSE bug 1135170 SUSE bug 1149496 SUSE Linux Enterprise Server 11 SP3-TERADATA Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. Important CVE-2019-5482 SUSE bug 1149496 SUSE Linux Enterprise Server 11 SP3-TERADATA The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. Moderate CVE-2019-5489 SUSE bug 1120843 SUSE bug 1120885 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. Moderate CVE-2019-6109 SUSE bug 1121571 SUSE bug 1121816 SUSE bug 1121818 SUSE bug 1121821 SUSE bug 1138392 SUSE bug 1144902 SUSE bug 1144903 SUSE bug 1148884 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). Moderate CVE-2019-6111 SUSE bug 1121571 SUSE bug 1121816 SUSE bug 1121818 SUSE bug 1121821 SUSE bug 1123028 SUSE bug 1123220 SUSE bug 1131109 SUSE bug 1138392 SUSE bug 1144902 SUSE bug 1144903 SUSE bug 1148884 SUSE Linux Enterprise Server 11 SP3-TERADATA The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb. Low CVE-2019-6128 SUSE bug 1121626 SUSE Linux Enterprise Server 11 SP3-TERADATA ** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources. Important CVE-2019-6446 SUSE bug 1122208 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Moderate CVE-2019-6465 SUSE bug 1126069 SUSE bug 1148887 SUSE Linux Enterprise Server 11 SP3-TERADATA In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. Important CVE-2019-6778 SUSE bug 1123156 SUSE bug 1123157 SUSE Linux Enterprise Server 11 SP3-TERADATA gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data. Moderate CVE-2019-6977 SUSE bug 1123354 SUSE bug 1123361 SUSE Linux Enterprise Server 11 SP3-TERADATA The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP is unaffected. Moderate CVE-2019-6978 SUSE bug 1123522 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack. Low CVE-2019-7150 SUSE bug 1123685 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c. Low CVE-2019-7175 SUSE bug 1128649 SUSE Linux Enterprise Server 11 SP3-TERADATA The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. Low CVE-2019-7222 SUSE bug 1124735 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c. Low CVE-2019-7397 SUSE bug 1124366 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c. Low CVE-2019-7398 SUSE bug 1124365 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c. CVE-2019-7572 SUSE bug 1124806 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the wNumCoef loop). Moderate CVE-2019-7573 SUSE bug 1124805 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c. Moderate CVE-2019-7574 SUSE bug 1124803 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c. Moderate CVE-2019-7575 SUSE bug 1124802 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside the wNumCoef loop). Moderate CVE-2019-7576 SUSE bug 1124799 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c. Moderate CVE-2019-7577 SUSE bug 1124800 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c. Moderate CVE-2019-7578 SUSE bug 1125099 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c. Moderate CVE-2019-7635 SUSE bug 1124827 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c. Moderate CVE-2019-7636 SUSE bug 1124826 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c. Moderate CVE-2019-7637 SUSE bug 1124825 SUSE Linux Enterprise Server 11 SP3-TERADATA SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Map1toN in video/SDL_pixels.c. Moderate CVE-2019-7638 SUSE bug 1124824 SUSE Linux Enterprise Server 11 SP3-TERADATA In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes. Low CVE-2019-7665 SUSE bug 1125007 SUSE Linux Enterprise Server 11 SP3-TERADATA SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables. Important CVE-2019-8457 SUSE bug 1136976 SUSE Linux Enterprise Server 11 SP3-TERADATA NTP through 4.2.8p12 has a NULL Pointer Dereference. Moderate CVE-2019-8936 SUSE bug 1128525 SUSE bug 1148892 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c. Low CVE-2019-9020 SUSE bug 1126711 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c. Low CVE-2019-9021 SUSE bug 1126713 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences. Moderate CVE-2019-9023 SUSE bug 1126823 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c. Moderate CVE-2019-9024 SUSE bug 1126821 SUSE Linux Enterprise Server 11 SP3-TERADATA In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. Moderate CVE-2019-9169 SUSE bug 1127308 SUSE bug 1146392 SUSE Linux Enterprise Server 11 SP3-TERADATA In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task. Moderate CVE-2019-9213 SUSE bug 1128166 SUSE bug 1128378 SUSE bug 1129016 SUSE Linux Enterprise Server 11 SP3-TERADATA In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Moderate CVE-2019-9456 SUSE bug 1150025 SUSE Linux Enterprise Server 11 SP3-TERADATA Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. Important CVE-2019-9636 SUSE bug 1129346 SUSE bug 1135433 SUSE bug 1138459 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data. Low CVE-2019-9637 SUSE bug 1128892 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len. Moderate CVE-2019-9638 SUSE bug 1128889 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable. Low CVE-2019-9639 SUSE bug 1128887 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn. Low CVE-2019-9640 SUSE bug 1128883 SUSE Linux Enterprise Server 11 SP3-TERADATA An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF. Moderate CVE-2019-9641 SUSE bug 1128722 SUSE Linux Enterprise Server 11 SP3-TERADATA ** DISPUTED ** An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue allows theoretical compromise of security, but a practical attack is usually impossible." Moderate CVE-2019-9675 SUSE bug 1128886 SUSE Linux Enterprise Server 11 SP3-TERADATA As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. Important CVE-2019-9811 SUSE bug 1140868 SUSE Linux Enterprise Server 11 SP3-TERADATA ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Important CVE-2019-9812 SUSE bug 1149294 SUSE bug 1149323 SUSE bug 1149324 SUSE Linux Enterprise Server 11 SP3-TERADATA tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure. Low CVE-2019-9824 SUSE bug 1118900 SUSE bug 1129622 SUSE bug 1129623 SUSE Linux Enterprise Server 11 SP3-TERADATA GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution. Important CVE-2019-9928 SUSE bug 1133375 SUSE Linux Enterprise Server 11 SP3-TERADATA urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. Low CVE-2019-9948 SUSE bug 1130847 SUSE bug 1135433 SUSE Linux Enterprise Server 11 SP3-TERADATA In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file. CVE-2019-9956 SUSE bug 1130330