9377 moderate openSUSE Backports SLE-12 This update for icingaweb2 to version 2.6.2 fixes the following issues: Security vulnerabilities fixed: - CVE-2018-18246: Fixed a Cross-Site request forgery (CSRF), which could be used to enable or disable modules (boo#1119784) - CVE-2018-18247: Fixed a Cross-Site scripting (XSS) vulnerability via the /icingaweb2/navigation/add icon parameter (boo#1119785) - CVE-2018-18248: Fixed a Cross-Site scripting (XSS) vulnerability via the /icingaweb2/monitoring/list/services dir parameter, the /icingaweb2/user/list query string, the /icingaweb2/monitoring/timeline query string, or the /icingaweb2/setup query string (boo#1119801) - CVE-2018-18249: Fixed injection of PHP ini-file directives via vectors involving environment variables (boo#1119799) - CVE-2018-18250: Fixed allowance of parameters that break navigation dashlets (boo#1119800) Other bugs fixed: - Database connections to MySQL 8 no longer fail - LDAP connections now have a timeout configuration which defaults to 5 seconds - User groups are now correctly loaded for externally authenticated users - Filters are respected for all links in the host and service group overviews - Fixed permission problems where host and service actions provided by modules were missing - Fixed an SQL error in the contact list view when filtering for host groups - Fixed time zone (DST) detection - Fixed the contact details view if restrictions are active - Add README.SUSE. - The command audit now logs a command's payload as JSON - Support for PHP 7.2 added - Support for SQLite resources added - Removed support for PHP < 5.6 - Removed support for persistent database connections - Login and Command (monitoring) auditing added with the help of a dedicated module - Pluginoutput rendering is now hookable by modules which allows to render custom icons, emojis and .. cute kitties :octocat: - Refined user interface - More powerful REST API For a full list of changes, please refer to: https://github.com/Icinga/icingaweb2/releases icingacli-2.6.2-5.1.noarch.rpm icingaweb2-2.6.2-5.1.noarch.rpm icingaweb2-2.6.2-5.1.src.rpm icingaweb2-common-2.6.2-5.1.noarch.rpm icingaweb2-vendor-HTMLPurifier-2.6.2-5.1.noarch.rpm icingaweb2-vendor-JShrink-2.6.2-5.1.noarch.rpm icingaweb2-vendor-Parsedown-2.6.2-5.1.noarch.rpm icingaweb2-vendor-dompdf-2.6.2-5.1.noarch.rpm icingaweb2-vendor-lessphp-2.6.2-5.1.noarch.rpm icingaweb2-vendor-zf1-2.6.2-5.1.noarch.rpm php-Icinga-2.6.2-5.1.noarch.rpm 9819 moderate openSUSE Backports SLE-12 This update for tor to version 0.3.4.11 fixes the following issues: Security issue fixed: - CVE-2019-8955: Fixed a vulnerability in the KIST cell scheduler which could lead to memory exhaustion and finally Denial-of-Service (bsc#1126340). tor-0.3.4.11-20.1.src.rpm tor-0.3.4.11-20.1.x86_64.rpm tor-0.3.4.11-20.1.aarch64.rpm tor-0.3.4.11-20.1.ppc64le.rpm tor-0.3.4.11-20.1.s390x.rpm 9825 moderate openSUSE Backports SLE-12 This update for re2 fixes the following issues: re2 was updated to 2019-03-01: * developer visible changes, performance tweaks and bug fixes libre2-0-20190301-22.1.x86_64.rpm libre2-0-debuginfo-20190301-22.1.x86_64.rpm re2-20190301-22.1.src.rpm re2-debugsource-20190301-22.1.x86_64.rpm re2-devel-20190301-22.1.x86_64.rpm libre2-0-20190301-22.1.aarch64.rpm libre2-0-debuginfo-20190301-22.1.aarch64.rpm re2-debugsource-20190301-22.1.aarch64.rpm re2-devel-20190301-22.1.aarch64.rpm libre2-0-20190301-22.1.ppc64le.rpm libre2-0-debuginfo-20190301-22.1.ppc64le.rpm re2-debugsource-20190301-22.1.ppc64le.rpm re2-devel-20190301-22.1.ppc64le.rpm libre2-0-20190301-22.1.s390x.rpm libre2-0-debuginfo-20190301-22.1.s390x.rpm re2-debugsource-20190301-22.1.s390x.rpm re2-devel-20190301-22.1.s390x.rpm 9897 moderate openSUSE Backports SLE-12 This update for ansible to version 2.7.8 fixes the following issues: Security issues fixed: - CVE-2018-16837: Fixed an information leak in user module (bsc#1112959). - CVE-2018-16859: Fixed an issue which clould allow logging of password in plaintext in Windows powerShell (bsc#1116587). - CVE-2019-3828: Fixed a path traversal vulnerability in fetch module (bsc#1126503). - CVE-2018-10875: Fixed a potential code execution in ansible.cfg (bsc#1099808). - CVE-2018-16876: Fixed an issue which could allow information disclosure in vvv+ mode with no_log on (bsc#1118896). Other issues addressed: - prepare update to 2.7.8 for multiple releases (boo#1102126, boo#1109957) Release notes: https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst#id1 ansible-2.7.8-9.1.noarch.rpm ansible-2.7.8-9.1.src.rpm 9933 critical openSUSE Backports SLE-12 This update for MozillaThunderbird fixes the following issues: Security issues fixed: - Update to MozillaThunderbird 60.6.1 (bsc#1130262): - CVE-2019-9813: Fixed Ionmonkey type confusion with __proto__ mutations - CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information - Update to MozillaThunderbird 60.6 (bsc#1129821): - CVE-2018-18506: Fixed an issue with Proxy Auto-Configuration file - CVE-2019-9801: Fixed an issue which could allow Windows programs to be exposed to web content - CVE-2019-9788: Fixed multiple memory safety bugs - CVE-2019-9790: Fixed a Use-after-free vulnerability when removing in-use DOM elements - CVE-2019-9791: Fixed an incorrect Type inference for constructors entered through on-stack replacement with IonMonkey - CVE-2019-9792: Fixed an issue where IonMonkey leaks JS_OPTIMIZED_OUT magic value to script - CVE-2019-9793: Fixed multiple improper bounds checks when Spectre mitigations are disabled - CVE-2019-9794: Fixed an issue where command line arguments not discarded during execution - CVE-2019-9795: Fixed a Type-confusion vulnerability in IonMonkey JIT compiler - CVE-2019-9796: Fixed a Use-after-free vulnerability in SMIL animation controller Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/ MozillaThunderbird-60.6.1-82.1.src.rpm MozillaThunderbird-60.6.1-82.1.x86_64.rpm MozillaThunderbird-buildsymbols-60.6.1-82.1.x86_64.rpm MozillaThunderbird-translations-common-60.6.1-82.1.x86_64.rpm MozillaThunderbird-translations-other-60.6.1-82.1.x86_64.rpm 9934 low openSUSE Backports SLE-12 This update for znc to version 1.7.2 fixes the following issue: Security issue fixed: - CVE-2019-9917: Fixed an issue where due to invalid encoding znc was crashing (bsc#1130360). znc-1.7.2-23.1.src.rpm znc-1.7.2-23.1.x86_64.rpm znc-devel-1.7.2-23.1.x86_64.rpm znc-lang-1.7.2-23.1.noarch.rpm znc-perl-1.7.2-23.1.x86_64.rpm znc-python3-1.7.2-23.1.x86_64.rpm znc-tcl-1.7.2-23.1.x86_64.rpm znc-1.7.2-23.1.aarch64.rpm znc-devel-1.7.2-23.1.aarch64.rpm znc-perl-1.7.2-23.1.aarch64.rpm znc-python3-1.7.2-23.1.aarch64.rpm znc-tcl-1.7.2-23.1.aarch64.rpm znc-1.7.2-23.1.ppc64le.rpm znc-devel-1.7.2-23.1.ppc64le.rpm znc-perl-1.7.2-23.1.ppc64le.rpm znc-python3-1.7.2-23.1.ppc64le.rpm znc-tcl-1.7.2-23.1.ppc64le.rpm znc-1.7.2-23.1.s390x.rpm znc-devel-1.7.2-23.1.s390x.rpm znc-perl-1.7.2-23.1.s390x.rpm znc-python3-1.7.2-23.1.s390x.rpm znc-tcl-1.7.2-23.1.s390x.rpm