Opensuse Backports Sle vulnerabilities

CVE-2019-13716 [MEDIUM] CWE-863 CVE-2019-13716: Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2019-13719 [MEDIUM] CWE-922 CVE-2019-13719: Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote at Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.

CVE-2019-13714 [MEDIUM] CWE-94 CVE-2019-13714: Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78. Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL.

CVE-2019-13703 [MEDIUM] CWE-290 CVE-2019-13703: Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 all Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2019-13710 [MEDIUM] CVE-2019-13710: Insufficient validation of untrusted input in downloads in Google Chrome prior to 78.0.3904.70 allow Insufficient validation of untrusted input in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page.

CVE-2019-13717 [MEDIUM] CWE-922 CVE-2019-13717: Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote at Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.

CVE-2019-13709 [MEDIUM] CWE-290 CVE-2019-13709: Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page.

CVE-2019-13704 [MEDIUM] CWE-290 CVE-2019-13704: Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remot Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CVE-2019-13701 [MEDIUM] CWE-290 CVE-2019-13701: Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attac Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2019-18622 [CRITICAL] CWE-89 CVE-2019-18622: An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to tri An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.

CVE-2019-10206 [MEDIUM] CWE-522 CVE-2019-10206: ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

CVE-2019-17545 [CRITICAL] CWE-415 CVE-2019-17545: GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10 GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.

CVE-2019-17455 [CRITICAL] CWE-125 CVE-2019-17455: Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, an Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and write operations, as demonstrated by a stack-based buffer over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM request.

CVE-2019-14846 [HIGH] CWE-117 CVE-2019-14846: In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-e In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

CVE-2019-11779 [MEDIUM] CWE-754 CVE-2019-11779: In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet c In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.

CVE-2019-16159 [HIGH] CWE-787 CVE-2019-16159: BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 has a stack-based buffer over BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 has a stack-based buffer overflow. The BGP daemon's support for RFC 8203 administrative shutdown communication messages included an incorrect logical expression when checking the validity of an input message. Sending a shutdown communication with a sufficient message length causes

CVE-2016-10937 [HIGH] CWE-295 CVE-2016-10937: IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate. IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate.

CVE-2019-14744 [HIGH] CWE-78 CVE-2019-14744: In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to cod In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

CVE-2019-5058 [HIGH] CWE-122 CVE-2019-5058: An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_ An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image 2.0.4. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

CVE-2019-5057 [HIGH] CWE-122 CVE-2019-5057: An exploitable code execution vulnerability exists in the PCX image-rendering functionality of SDL2_ An exploitable code execution vulnerability exists in the PCX image-rendering functionality of SDL2_image 2.0.4. A specially crafted PCX image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.