Security update for w3m

Announcement ID: SUSE-SU-2016:3053-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2016-9434 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9435 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9436 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9437 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9438 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9439 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9440 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9441 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9442 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9443 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9622 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9623 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9624 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9625 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9626 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9627 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9628 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9629 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9630 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9631 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9632 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2016-9633 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2

An update that solves 23 vulnerabilities can now be installed.

Description:

This update for w3m fixes the following issues:

  • update to debian git version (bsc#1011293) addressed security issues: CVE-2016-9622: w3m: null deref (bsc#1012021) CVE-2016-9623: w3m: null deref (bsc#1012022) CVE-2016-9624: w3m: near-null deref (bsc#1012023) CVE-2016-9625: w3m: stack overflow (bsc#1012024) CVE-2016-9626: w3m: stack overflow (bsc#1012025) CVE-2016-9627: w3m: heap overflow read + deref (bsc#1012026) CVE-2016-9628: w3m: null deref (bsc#1012027) CVE-2016-9629: w3m: null deref (bsc#1012028) CVE-2016-9630: w3m: global-buffer-overflow read (bsc#1012029) CVE-2016-9631: w3m: null deref (bsc#1012030) CVE-2016-9632: w3m: global-buffer-overflow read (bsc#1012031) CVE-2016-9633: w3m: OOM (bsc#1012032) CVE-2016-9434: w3m: null deref (bsc#1011283) CVE-2016-9435: w3m: use uninit value (bsc#1011284) CVE-2016-9436: w3m: use uninit value (bsc#1011285) CVE-2016-9437: w3m: write to rodata (bsc#1011286) CVE-2016-9438: w3m: null deref (bsc#1011287) CVE-2016-9439: w3m: stack overflow (bsc#1011288) CVE-2016-9440: w3m: near-null deref (bsc#1011289) CVE-2016-9441: w3m: near-null deref (bsc#1011290) CVE-2016-9442: w3m: potential heap buffer corruption (bsc#1011291) CVE-2016-9443: w3m: null deref (bsc#1011292)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Desktop 12 SP1
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1774=1
  • SUSE Linux Enterprise Desktop 12 SP2
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1774=1
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
    zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1774=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1774=1
  • SUSE Linux Enterprise Server 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1774=1
  • SUSE Linux Enterprise High Performance Computing 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1774=1
  • SUSE Linux Enterprise Server 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1774=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1774=1

Package List:

  • SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
    • w3m-debugsource-0.5.3.git20161120-160.1
    • w3m-0.5.3.git20161120-160.1
    • w3m-debuginfo-0.5.3.git20161120-160.1
  • SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
    • w3m-debugsource-0.5.3.git20161120-160.1
    • w3m-0.5.3.git20161120-160.1
    • w3m-debuginfo-0.5.3.git20161120-160.1
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
    • w3m-debugsource-0.5.3.git20161120-160.1
    • w3m-0.5.3.git20161120-160.1
    • w3m-debuginfo-0.5.3.git20161120-160.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
    • w3m-debugsource-0.5.3.git20161120-160.1
    • w3m-0.5.3.git20161120-160.1
    • w3m-debuginfo-0.5.3.git20161120-160.1
  • SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
    • w3m-debugsource-0.5.3.git20161120-160.1
    • w3m-0.5.3.git20161120-160.1
    • w3m-debuginfo-0.5.3.git20161120-160.1
  • SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
    • w3m-debugsource-0.5.3.git20161120-160.1
    • w3m-0.5.3.git20161120-160.1
    • w3m-debuginfo-0.5.3.git20161120-160.1
  • SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
    • w3m-debugsource-0.5.3.git20161120-160.1
    • w3m-0.5.3.git20161120-160.1
    • w3m-debuginfo-0.5.3.git20161120-160.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
    • w3m-debugsource-0.5.3.git20161120-160.1
    • w3m-0.5.3.git20161120-160.1
    • w3m-debuginfo-0.5.3.git20161120-160.1

References: