Security update for flex, at, libbonobo, netpbm, openslp, sgmltool, virtuoso SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2450-1 Final 1 1 2016-10-04T11:16:00Z current 2016-10-04T11:16:00Z 2016-10-04T11:16:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for flex, at, libbonobo, netpbm, openslp, sgmltool, virtuoso Various packages included vulnerable parsers generated by 'flex'. This update provides a fixed 'flex' package and also rebuilds of packages that might have security issues caused by the auto generated code. Flex itself was updated to fix a buffer overflow in the generated scanner (bsc#990856, CVE-2016-6354) Packages that were rebuilt with the fixed flex: - at - libbonobo - netpbm - openslp - sgmltool - virtuoso Some more packages might also need to be rebuild to receive a new flex parser, but will be released later. This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-10/msg00015.html E-Mail link for openSUSE-SU-2016:2450-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 at-3.1.14-9.2 flex-2.5.37-11.1 flex-32bit-2.5.37-11.1 libbonobo-2.32.1-19.1 libbonobo-32bit-2.32.1-19.1 libbonobo-devel-2.32.1-19.1 libbonobo-doc-2.32.1-19.1 libbonobo-lang-2.32.1-19.1 libnetpbm-devel-10.66.3-6.1 libnetpbm11-10.66.3-6.1 libnetpbm11-32bit-10.66.3-6.1 netpbm-10.66.3-6.1 openslp-2.0.0-14.1 openslp-32bit-2.0.0-14.1 openslp-devel-2.0.0-14.1 openslp-server-2.0.0-14.1 sgmltool-1.0.9-1078.1 virtuoso-6.1.6-13.1 virtuoso-drivers-6.1.6-13.1 virtuoso-server-6.1.6-13.1 at-3.1.14-9.2 as a component of openSUSE Leap 42.1 flex-2.5.37-11.1 as a component of openSUSE Leap 42.1 flex-32bit-2.5.37-11.1 as a component of openSUSE Leap 42.1 libbonobo-2.32.1-19.1 as a component of openSUSE Leap 42.1 libbonobo-32bit-2.32.1-19.1 as a component of openSUSE Leap 42.1 libbonobo-devel-2.32.1-19.1 as a component of openSUSE Leap 42.1 libbonobo-doc-2.32.1-19.1 as a component of openSUSE Leap 42.1 libbonobo-lang-2.32.1-19.1 as a component of openSUSE Leap 42.1 libnetpbm-devel-10.66.3-6.1 as a component of openSUSE Leap 42.1 libnetpbm11-10.66.3-6.1 as a component of openSUSE Leap 42.1 libnetpbm11-32bit-10.66.3-6.1 as a component of openSUSE Leap 42.1 netpbm-10.66.3-6.1 as a component of openSUSE Leap 42.1 openslp-2.0.0-14.1 as a component of openSUSE Leap 42.1 openslp-32bit-2.0.0-14.1 as a component of openSUSE Leap 42.1 openslp-devel-2.0.0-14.1 as a component of openSUSE Leap 42.1 openslp-server-2.0.0-14.1 as a component of openSUSE Leap 42.1 sgmltool-1.0.9-1078.1 as a component of openSUSE Leap 42.1 virtuoso-6.1.6-13.1 as a component of openSUSE Leap 42.1 virtuoso-drivers-6.1.6-13.1 as a component of openSUSE Leap 42.1 virtuoso-server-6.1.6-13.1 as a component of openSUSE Leap 42.1 Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read. CVE-2016-6354 openSUSE Leap 42.1:at-3.1.14-9.2 openSUSE Leap 42.1:flex-2.5.37-11.1 openSUSE Leap 42.1:flex-32bit-2.5.37-11.1 openSUSE Leap 42.1:libbonobo-2.32.1-19.1 openSUSE Leap 42.1:libbonobo-32bit-2.32.1-19.1 openSUSE Leap 42.1:libbonobo-devel-2.32.1-19.1 openSUSE Leap 42.1:libbonobo-doc-2.32.1-19.1 openSUSE Leap 42.1:libbonobo-lang-2.32.1-19.1 openSUSE Leap 42.1:libnetpbm-devel-10.66.3-6.1 openSUSE Leap 42.1:libnetpbm11-10.66.3-6.1 openSUSE Leap 42.1:libnetpbm11-32bit-10.66.3-6.1 openSUSE Leap 42.1:netpbm-10.66.3-6.1 openSUSE Leap 42.1:openslp-2.0.0-14.1 openSUSE Leap 42.1:openslp-32bit-2.0.0-14.1 openSUSE Leap 42.1:openslp-devel-2.0.0-14.1 openSUSE Leap 42.1:openslp-server-2.0.0-14.1 openSUSE Leap 42.1:sgmltool-1.0.9-1078.1 openSUSE Leap 42.1:virtuoso-6.1.6-13.1 openSUSE Leap 42.1:virtuoso-drivers-6.1.6-13.1 openSUSE Leap 42.1:virtuoso-server-6.1.6-13.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-10/msg00015.html https://www.suse.com/security/cve/CVE-2016-6354.html CVE-2016-6354 https://bugzilla.suse.com/1026047 SUSE Bug 1026047 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035209 SUSE Bug 1035209 https://bugzilla.suse.com/990856 SUSE Bug 990856