Opensuse Backports Sle vulnerabilities

CVE-2019-9494 [MEDIUM] CWE-208 CVE-2019-9494: The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE supp

CVE-2019-9495 [LOW] CWE-524 CVE-2019-9495: The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache.

CVE-2019-11007 [HIGH] CWE-125 CVE-2019-11007: In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the ReadMNGIma In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the ReadMNGImage function of coders/png.c, which allows attackers to cause a denial of service or information disclosure via an image colormap.

CVE-2019-11008 [HIGH] CWE-787 CVE-2019-11008: In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer overflow in the function Wr In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer overflow in the function WriteXWDImage of coders/xwd.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.

CVE-2019-10740 [MEDIUM] CWE-319 CVE-2019-10740: In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver repl

CVE-2019-9896 [HIGH] CWE-427 CVE-2019-9896: In PuTTY versions before 0.71 on Windows, local attackers could hijack the application by putting a In PuTTY versions before 0.71 on Windows, local attackers could hijack the application by putting a malicious help file in the same directory as the executable.

CVE-2019-9775 [CRITICAL] CWE-125 CVE-2019-9775: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is an out-of-bounds read in the func An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is an out-of-bounds read in the function dwg_dxf_BLOCK_CONTROL at dwg.spec.

CVE-2019-9774 [CRITICAL] CWE-125 CVE-2019-9774: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is an out-of-bounds read in the func An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is an out-of-bounds read in the function bit_read_B at bits.c.

CVE-2019-9779 [HIGH] CVE-2019-9779: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the function dwg_dxf_LTYPE at dwg.spec (earlier than CVE-2019-9776).

CVE-2019-9771 [HIGH] CWE-476 CVE-2019-9771: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the function bit_convert_TU at bits.c.

CVE-2019-9770 [HIGH] CWE-787 CVE-2019-9770: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer overflow in t An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer overflow in the function dwg_decode_eed_data at decode.c for the y dimension.

CVE-2019-9777 [HIGH] CWE-125 CVE-2019-9777: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer over-read in An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer over-read in the function dxf_header_write at header_variables_dxf.spec.

CVE-2019-9776 [HIGH] CWE-476 CVE-2019-9776: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the function dwg_dxf_LTYPE at dwg.spec (later than CVE-2019-9779).

CVE-2019-9773 [HIGH] CWE-787 CVE-2019-9773: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer overflow in t An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer overflow in the function dwg_decode_eed_data at decode.c for the z dimension.

CVE-2019-9778 [HIGH] CWE-125 CVE-2019-9778: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer over-read in An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer over-read in the function dwg_dxf_LTYPE at dwg.spec.

CVE-2019-9772 [HIGH] CWE-476 CVE-2019-9772: An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the function dwg_dxf_LEADER at dwg.spec.

CVE-2019-9752 [MEDIUM] CWE-79 CVE-2019-9752: An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, a An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS. This is related to Content-type mishandling in Kernel/Module

CVE-2019-9215 [CRITICAL] CVE-2019-9215: In Live555 before 2019.02.27, malformed headers lead to invalid memory access in the parseAuthorizat In Live555 before 2019.02.27, malformed headers lead to invalid memory access in the parseAuthorizationHeader function.

CVE-2019-7164 [CRITICAL] CWE-89 CVE-2019-7164: SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

CVE-2019-5736 [HIGH] CWE-78 CVE-2019-5736: runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overw runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to whi