Описание
Security update for permissions
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734).
- Fixed a regression which caused sagmentation fault (bsc#1157198).
Список пакетов
Container suse/sle15:15.0
permissions-20180125-3.18.1
SUSE Linux Enterprise Module for Basesystem 15
permissions-20180125-3.18.1
Ссылки
- Link for SUSE-SU-2019:3182-1
- E-Mail link for SUSE-SU-2019:3182-1
- SUSE Security Ratings
- SUSE Bug 1093414
- SUSE Bug 1150734
- SUSE Bug 1157198
- SUSE CVE CVE-2019-3688 page
- SUSE CVE CVE-2019-3690 page
Описание
The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain persistence by changing the binary
Затронутые продукты
Container suse/sle15:15.0:permissions-20180125-3.18.1
SUSE Linux Enterprise Module for Basesystem 15:permissions-20180125-3.18.1
Ссылки
- CVE-2019-3688
- SUSE Bug 1093414
- SUSE Bug 1149108
Описание
The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.
Затронутые продукты
Container suse/sle15:15.0:permissions-20180125-3.18.1
SUSE Linux Enterprise Module for Basesystem 15:permissions-20180125-3.18.1
Ссылки
- CVE-2019-3690
- SUSE Bug 1148336
- SUSE Bug 1150734
- SUSE Bug 1157880
- SUSE Bug 1157883
- SUSE Bug 1160594
- SUSE Bug 1160764
- SUSE Bug 1163922