Описание
Security update for hostinfo, supportutils
This update for hostinfo, supportutils fixes the following issues:
Security issues fixed for supportutils:
- CVE-2018-19640: Fixed an issue where users could kill arbitrary processes (bsc#1118463).
- CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460).
- CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462).
- CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776).
- CVE-2018-19636: Fixed a local root exploit via inclusion of attacker controlled shell script (bsc#1117751).
Other issues fixed for supportutils:
- Fixed invalid exit code commands (bsc#1125666)
- SUSE separation in supportconfig (bsc#1125623)
- Clarified supportconfig(8) -x option (bsc#1115245)
- supportconfig: 3.0.127
- btrfs filesystem usage
- List products.d
- Dump lsof errors
- Added ha commands for corosync
- Dumped find errors in ib_info
Issues fixed in hostinfo:
- Removed extra kernel install dates (bsc#1099498)
- Resolved network bond issue (bsc#1054979)
Список пакетов
Image SLES12-SP5-Azure-BYOS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-Basic-On-Demand
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-HPC-BYOS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-HPC-On-Demand
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-SAP-BYOS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-SAP-On-Demand
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-Standard-On-Demand
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-EC2-BYOS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-EC2-ECS-On-Demand
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-EC2-On-Demand
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-EC2-SAP-BYOS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-EC2-SAP-On-Demand
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-GCE-BYOS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-GCE-On-Demand
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-GCE-SAP-BYOS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-GCE-SAP-On-Demand
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Image SLES12-SP5-OCI-BYOS-BYOS
supportutils-3.0-95.21.1
Image SLES12-SP5-OCI-BYOS-SAP-BYOS
supportutils-3.0-95.21.1
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
supportutils-3.0-95.21.1
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
supportutils-3.0-95.21.1
SUSE Enterprise Storage 4
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE Linux Enterprise Desktop 12 SP3
supportutils-3.0-95.21.1
SUSE Linux Enterprise Desktop 12 SP4
supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12 SP1-LTSS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12 SP2-BCL
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12 SP2-LTSS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12 SP3
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12 SP4
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE Linux Enterprise Server 12-LTSS
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE Linux Enterprise Server for SAP Applications 12 SP3
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
SUSE OpenStack Cloud 7
hostinfo-1.0.1-19.5.1
supportutils-3.0-95.21.1
Ссылки
- Link for SUSE-SU-2019:1122-1
- E-Mail link for SUSE-SU-2019:1122-1
- SUSE Security Ratings
- SUSE Bug 1054979
- SUSE Bug 1099498
- SUSE Bug 1115245
- SUSE Bug 1117751
- SUSE Bug 1117776
- SUSE Bug 1118460
- SUSE Bug 1118462
- SUSE Bug 1118463
- SUSE Bug 1125623
- SUSE Bug 1125666
- SUSE CVE CVE-2018-19636 page
- SUSE CVE CVE-2018-19637 page
- SUSE CVE CVE-2018-19638 page
- SUSE CVE CVE-2018-19639 page
- SUSE CVE CVE-2018-19640 page
Описание
Supportutils, before version 3.1-5.7.1, when run with command line argument -A searched the file system for a ndspath binary. If an attacker provides one at an arbitrary location it is executed with root privileges
Затронутые продукты
Image SLES12-SP5-Azure-BYOS:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-BYOS:supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-Basic-On-Demand:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-Basic-On-Demand:supportutils-3.0-95.21.1
Ссылки
- CVE-2018-19636
- SUSE Bug 1063385
- SUSE Bug 1117751
Описание
Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection
Затронутые продукты
Image SLES12-SP5-Azure-BYOS:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-BYOS:supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-Basic-On-Demand:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-Basic-On-Demand:supportutils-3.0-95.21.1
Ссылки
- CVE-2018-19637
- SUSE Bug 1063385
- SUSE Bug 1117776
Описание
In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files.
Затронутые продукты
Image SLES12-SP5-Azure-BYOS:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-BYOS:supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-Basic-On-Demand:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-Basic-On-Demand:supportutils-3.0-95.21.1
Ссылки
- CVE-2018-19638
- SUSE Bug 1063385
- SUSE Bug 1118460
- SUSE Bug 1118462
- SUSE Bug 1118463
Описание
If supportutils before version 3.1-5.7.1 is run with -v to perform rpm verification and the attacker manages to manipulate the rpm listing (e.g. with CVE-2018-19638) he can execute arbitrary commands as root.
Затронутые продукты
Image SLES12-SP5-Azure-BYOS:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-BYOS:supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-Basic-On-Demand:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-Basic-On-Demand:supportutils-3.0-95.21.1
Ссылки
- CVE-2018-19639
- SUSE Bug 1063385
- SUSE Bug 1118460
- SUSE Bug 1118462
Описание
If the attacker manages to create files in the directory used to collect log files in supportutils before version 3.1-5.7.1 (e.g. with CVE-2018-19638) he can kill arbitrary processes on the local machine.
Затронутые продукты
Image SLES12-SP5-Azure-BYOS:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-BYOS:supportutils-3.0-95.21.1
Image SLES12-SP5-Azure-Basic-On-Demand:hostinfo-1.0.1-19.5.1
Image SLES12-SP5-Azure-Basic-On-Demand:supportutils-3.0-95.21.1
Ссылки
- CVE-2018-19640
- SUSE Bug 1063385
- SUSE Bug 1118463