SUSE SLED15 / SLES15 Security Update : libepubgen, liblangtag, libmwaw, libnumbertext, libreoffice, libstaroffice, libwps, myspell-dictionaries, xmlsec1 (SUSE-SU-2018:3683-1)

high Nessus Plugin ID 120160

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

This update for LibreOffice, libepubgen, liblangtag, libmwaw, libnumbertext, libstaroffice, libwps, myspell-dictionaries, xmlsec1 fixes the following issues :

LibreOffice was updated to 6.1.3.2 (fate#326624) and contains new features and lots of bugfixes :

The full changelog can be found on :

https://wiki.documentfoundation.org/ReleaseNotes/6.1

Bugfixes :

bsc#1095639 Exporting to PPTX results in vertical labels being shown horizontally

bsc#1098891 Table in PPTX misplaced and partly blue

bsc#1088263 Labels in chart change (from white and other colors) to black when saving as PPTX

bsc#1095601 Exporting to PPTX shifts arrow shapes quite a bit

Add more translations :

- Belarusian

- Bodo

- Dogri

- Frisian

- Gaelic

- Paraguayan_Guaran

- Upper_Sorbian

- Konkani

- Kashmiri

- Luxembourgish

- Monglolian

- Manipuri

- Burnese

- Occitan

- Kinyarwanda

- Santali

- Sanskrit

- Sindhi

- Sidamo

- Tatar

- Uzbek

- Upper Sorbian

- Venetian

- Amharic

- Asturian

- Tibetian

- Bosnian

- English GB

- English ZA

- Indonesian

- Icelandic

- Georgian

- Khmer

- Lao

- Macedonian

- Nepali

- Oromo

- Albanian

- Tajik

- Uyghur

- Vietnamese

- Kurdish

Try to build all languages see bsc#1096360

Make sure to install the KDE5/Qt5 UI/filepicker

Try to implement safeguarding to avoid bsc#1050305

Disable base-drivers-mysql as it needs mysqlcppcon that is only for mysql and not mariadb, causes issues bsc#1094779

- Users can still connect using jdbc/odbc

Fix java detection on machines with too many cpus

CVE-2018-10583: An information disclosure vulnerability occured when LibreOffice automatically processed and initiated an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document. (bsc#1091606)

libepubgen was updated to 0.1.1: Avoid <div> inside or <span>.Avoid writin vertical-align attribute without a value.

Fix generation of invalid XHTML when there is a link starting at the beginning of a footnote.

Handle relative width for images.

Fixed layout: write chapter names to improve navigation.

Support writing mode.

Start a new HTML file at every page span in addition to the splits induced by the chosen split method. This is to ensure that specified writing mode works correctly, as it is HTML attribute.

liblangtag was updated to 0.6.2: use standard function

fix leak in test

libmwaw was updated to 0.3.14: Support MS Multiplan 1.1 files

libnumbertext was update to 1.0.5: Various fixes in numerical calculations and issues reported on libreoffice tracker

libstaroffice was updated to 0.0.6: retrieve some StarMath's formula,

retrieve some charts as graphic,

retrieve some fields in sda/sdc/sdp text-boxes,

.sdw: retrieve more attachments.

libwps was updated to 0.4.9: QuattroPro: add parser to .wb3 files

Multiplan: add parser to DOS v1-v3 files

charts: try to retrieve charts in .wk*, .wq* files

QuattroPro: add parser to .wb[12] files

myspell-dictionaries was updated to 20181025: Turkish dictionary added

Updated French dictionary

xmlsec1 was updated to 1.2.26: Added xmlsec-mscng module based on Microsoft Cryptography API: Next Generation

Added support for GOST 2012 and fixed CryptoPro CSP provider for GOST R 34.10-2001 in xmlsec-mscrypto

</span>

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 15:zypper in -t patch SUSE-SLE-Product-WE-15-2018-2616=1

SUSE Linux Enterprise Module for Packagehub Subpackages 15:zypper in
-t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2018-2616=1

SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2018-2616=1

SUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2616=1

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1050305

https://bugzilla.suse.com/show_bug.cgi?id=1088263

https://bugzilla.suse.com/show_bug.cgi?id=1091606

https://bugzilla.suse.com/show_bug.cgi?id=1094779

https://bugzilla.suse.com/show_bug.cgi?id=1095601

https://bugzilla.suse.com/show_bug.cgi?id=1095639

https://bugzilla.suse.com/show_bug.cgi?id=1096360

https://bugzilla.suse.com/show_bug.cgi?id=1098891

https://bugzilla.suse.com/show_bug.cgi?id=1104876

https://wiki.documentfoundation.org/ReleaseNotes/6.1

https://www.suse.com/security/cve/CVE-2018-10583/

http://www.nessus.org/u?b9eb9364

Plugin Details

Severity: High

ID: 120160

File Name: suse_SU-2018-3683-1.nasl

Version: 1.5

Type: local

Agent: unix

Published: 1/2/2019

Updated: 7/10/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2018-10583

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:libmwaw-devel, p-cpe:/a:novell:suse_linux:libwps-tools-debuginfo, p-cpe:/a:novell:suse_linux:myspell-lightproof-pt_br, p-cpe:/a:novell:suse_linux:libxmlsec1-gcrypt1, p-cpe:/a:novell:suse_linux:xmlsec1, p-cpe:/a:novell:suse_linux:myspell-dictionaries, p-cpe:/a:novell:suse_linux:libstaroffice-debugsource, p-cpe:/a:novell:suse_linux:libstaroffice-debuginfo, p-cpe:/a:novell:suse_linux:xmlsec1-gnutls-devel, p-cpe:/a:novell:suse_linux:libmwaw-tools-debuginfo, p-cpe:/a:novell:suse_linux:libstaroffice-tools, p-cpe:/a:novell:suse_linux:libxmlsec1-openssl1-debuginfo, p-cpe:/a:novell:suse_linux:libmwaw-debuginfo, p-cpe:/a:novell:suse_linux:libstaroffice-tools-debuginfo, p-cpe:/a:novell:suse_linux:libmwaw-debugsource, p-cpe:/a:novell:suse_linux:libxmlsec1-gnutls1, p-cpe:/a:novell:suse_linux:libxmlsec1-openssl1, p-cpe:/a:novell:suse_linux:libxmlsec1-gcrypt1-debuginfo, p-cpe:/a:novell:suse_linux:libstaroffice-devel, p-cpe:/a:novell:suse_linux:libwps-debuginfo, p-cpe:/a:novell:suse_linux:libmwaw-tools, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:xmlsec1-gcrypt-devel, p-cpe:/a:novell:suse_linux:xmlsec1-debugsource, p-cpe:/a:novell:suse_linux:xmlsec1-openssl-devel, p-cpe:/a:novell:suse_linux:libxmlsec1-gnutls1-debuginfo, p-cpe:/a:novell:suse_linux:libwps-tools, p-cpe:/a:novell:suse_linux:myspell-lightproof-en, p-cpe:/a:novell:suse_linux:myspell-lightproof-ru_ru, p-cpe:/a:novell:suse_linux:libwps-debugsource, p-cpe:/a:novell:suse_linux:xmlsec1-debuginfo, p-cpe:/a:novell:suse_linux:myspell-lightproof-hu_hu

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/8/2018

Vulnerability Publication Date: 5/1/2018

Reference Information

CVE: CVE-2018-10583