Opensuse Backports Sle vulnerabilities

CVE-2019-20012 [MEDIUM] CWE-770 CVE-2019-20012: An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead to an attempted excessive memo An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_HATCH_private in dwg.spec.

CVE-2019-19925 [HIGH] CWE-434 CVE-2019-19925: zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.

CVE-2019-19923 [HIGH] CWE-476 CVE-2019-19923: flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).

CVE-2019-19926 [HIGH] CVE-2019-19926: multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated b multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.

CVE-2019-19918 [HIGH] CWE-787 CVE-2019-19918: Lout 3.40 has a heap-based buffer overflow in the srcnext() function in z02.c. Lout 3.40 has a heap-based buffer overflow in the srcnext() function in z02.c.

CVE-2019-19917 [HIGH] CWE-120 CVE-2019-19917: Lout 3.40 has a buffer overflow in the StringQuotedWord() function in z39.c. Lout 3.40 has a buffer overflow in the StringQuotedWord() function in z39.c.

CVE-2019-19880 [HIGH] CWE-476 CVE-2019-19880: exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer deref exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.

CVE-2019-16779 [MEDIUM] CWE-664 CVE-2019-16779: In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a co In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult

CVE-2019-13734 [HIGH] CWE-787 CVE-2019-13734: Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to po Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-13764 [HIGH] CWE-843 CVE-2019-13764: Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to pot Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-13745 [MEDIUM] CVE-2019-13745: Insufficient policy enforcement in audio in Google Chrome prior to 79.0.3945.79 allowed a remote att Insufficient policy enforcement in audio in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2019-5164 [HIGH] CWE-306 CVE-2019-5164: An exploitable code execution vulnerability exists in the ss-manager binary of Shadowsocks-libev 3.3 An exploitable code execution vulnerability exists in the ss-manager binary of Shadowsocks-libev 3.3.2. Specially crafted network packets sent to ss-manager can cause an arbitrary binary to run, resulting in code execution and privilege escalation. An attacker can send network packets to trigger this vulnerability.

CVE-2019-14856 [MEDIUM] CWE-287 CVE-2019-14856: ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None

CVE-2019-13702 [HIGH] CWE-269 CVE-2019-13702: Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed a local attacker to perform privilege escalation via a crafted executable.

CVE-2019-13699 [HIGH] CWE-416 CVE-2019-13699: Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had com Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-13700 [HIGH] CWE-787 CVE-2019-13700: Out of bounds memory access in the gamepad API in Google Chrome prior to 78.0.3904.70 allowed a remo Out of bounds memory access in the gamepad API in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-13706 [HIGH] CWE-787 CVE-2019-13706: Out of bounds memory access in PDFium in Google Chrome prior to 78.0.3904.70 allowed a remote attack Out of bounds memory access in PDFium in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

CVE-2019-13715 [MEDIUM] CWE-290 CVE-2019-13715: Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

CVE-2019-13708 [MEDIUM] CWE-290 CVE-2019-13708: Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a r Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2019-13718 [MEDIUM] CVE-2019-13718: Insufficient data validation in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote atta Insufficient data validation in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.