Security update for spice SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0419-1 Final 1 1 2017-02-08T07:30:27Z current 2017-02-08T07:30:27Z 2017-02-08T07:30:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for spice This security update for spice fixes the following issues: - CVE-2016-9577: A buffer overflow in the spice server could have potentially been used by unauthenticated attackers to execute arbitrary code. (bsc#1023078) - CVE-2016-9578: Unauthenticated attackers could have caused a denial of service via a crafted message. (bsc#1023079) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-02/msg00014.html E-Mail link for openSUSE-SU-2017:0419-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 libspice-server-devel-0.12.7-3.1 libspice-server1-0.12.7-3.1 spice-0.12.7-3.1 spice-client-0.12.7-3.1 libspice-server-devel-0.12.7-3.1 as a component of openSUSE Leap 42.2 libspice-server1-0.12.7-3.1 as a component of openSUSE Leap 42.2 spice-0.12.7-3.1 as a component of openSUSE Leap 42.2 spice-client-0.12.7-3.1 as a component of openSUSE Leap 42.2 A vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling. An authenticated attacker could send crafted messages to the SPICE server causing a heap overflow leading to a crash or possible code execution. CVE-2016-9577 openSUSE Leap 42.2:libspice-server-devel-0.12.7-3.1 openSUSE Leap 42.2:libspice-server1-0.12.7-3.1 openSUSE Leap 42.2:spice-0.12.7-3.1 openSUSE Leap 42.2:spice-client-0.12.7-3.1 critical 10 AV:N/AC:L/Au:N/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-02/msg00014.html https://www.suse.com/security/cve/CVE-2016-9577.html CVE-2016-9577 https://bugzilla.suse.com/1023078 SUSE Bug 1023078 A vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling. An attacker able to connect to the SPICE server could send crafted messages which would cause the process to crash. CVE-2016-9578 openSUSE Leap 42.2:libspice-server-devel-0.12.7-3.1 openSUSE Leap 42.2:libspice-server1-0.12.7-3.1 openSUSE Leap 42.2:spice-0.12.7-3.1 openSUSE Leap 42.2:spice-client-0.12.7-3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-02/msg00014.html https://www.suse.com/security/cve/CVE-2016-9578.html CVE-2016-9578 https://bugzilla.suse.com/1023078 SUSE Bug 1023078 https://bugzilla.suse.com/1023079 SUSE Bug 1023079