|
|
Subscribe / Log in / New account

SUSE alert SUSE-SU-2018:1602-1 (icu)



From:
    	      <sle-security-updates@lists.suse.com> 


To:
    	      <sle-security-updates@lists.suse.com> 


Subject:
    	      SUSE-SU-2018:1602-1: important: Security update for icu 


Date:
    	      Fri, 8 Jun 2018 15:08:53 +0200


Message-ID:
    	      <20180608130853.A971FFD2E@maintenance.suse.de>


   SUSE Security Update: Security update for icu
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:1602-1
Rating:             important
References:         #1034674 #1034678 #1067203 #1072193 #1077999 
                    #990636 
Cross-References:   CVE-2016-6293 CVE-2017-14952 CVE-2017-15422
                    CVE-2017-17484 CVE-2017-7867 CVE-2017-7868
                   
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11-SP4
                    SUSE Linux Enterprise Server 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that fixes 6 vulnerabilities is now available.

Description:

   This update for icu fixes the following issues:

   - CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in
     common/uloc.cpp did not ensure that there is a '\0' character at the end
     of a certain temporary array, which allows remote attackers to cause a
     denial of service (out-of-bounds read) or possibly have unspecified
     other impact via a call with a long httpAcceptLanguage argument.
     (bsc#990636)
   - CVE-2017-7868: ICU had an out-of-bounds write caused by a heap-based
     buffer overflow related to the utf8TextAccess function in
     common/utext.cpp and the utext_moveIndex32* function. (bsc#1034674)
   - CVE-2017-7867: ICU had an out-of-bounds write caused by a heap-based
     buffer overflow related to the utf8TextAccess function in
     common/utext.cpp and the utext_setNativeIndex* function. (bsc#1034678)
   - CVE-2017-14952: Double free in i18n/zonemeta.cpp allowed remote
     attackers to execute arbitrary code via a crafted string, aka a
     "redundant UVector entry clean up function call" issue. (bsc#1067203)
   - CVE-2017-17484:The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp mishandled
     ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote
     attackers to cause a denial of service (stack-based buffer overflow and
     application crash) or possibly have unspecified other impact via a
     crafted string, as demonstrated by ZNC. (bsc#1072193)
   - CVE-2017-15422: An integer overflow in persian calendar calculation was
     fixed, which could show wrong years. (bsc#1077999)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11-SP4:

      zypper in -t patch sdksp4-icu-13646=1

   - SUSE Linux Enterprise Server 11-SP4:

      zypper in -t patch slessp4-icu-13646=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-icu-13646=1



Package List:

   - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      libicu-devel-4.0-47.6.1

   - SUSE Linux Enterprise Software Development Kit 11-SP4 (ppc64 s390x x86_64):

      libicu-devel-32bit-4.0-47.6.1

   - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 x86_64):

      icu-4.0-47.6.1

   - SUSE Linux Enterprise Software Development Kit 11-SP4 (x86_64):

      libicu-32bit-4.0-47.6.1

   - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      libicu-4.0-47.6.1
      libicu-doc-4.0-47.6.1

   - SUSE Linux Enterprise Server 11-SP4 (ppc64 s390x x86_64):

      libicu-32bit-4.0-47.6.1

   - SUSE Linux Enterprise Server 11-SP4 (ia64):

      libicu-x86-4.0-47.6.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      icu-debuginfo-4.0-47.6.1
      icu-debugsource-4.0-47.6.1


References:

   https://www.suse.com/security/cve/CVE-2016-6293.html
   https://www.suse.com/security/cve/CVE-2017-14952.html
   https://www.suse.com/security/cve/CVE-2017-15422.html
   https://www.suse.com/security/cve/CVE-2017-17484.html
   https://www.suse.com/security/cve/CVE-2017-7867.html
   https://www.suse.com/security/cve/CVE-2017-7868.html
   https://bugzilla.suse.com/1034674
   https://bugzilla.suse.com/1034678
   https://bugzilla.suse.com/1067203
   https://bugzilla.suse.com/1072193
   https://bugzilla.suse.com/1077999
   https://bugzilla.suse.com/990636

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds