Описание
Security update for crmsh
This update for crmsh fixes the following issues:
-
CVE-2020-35459: Fixed usage of utils.mkdirp instead of system mkdir command (bsc#1179999).
-
Fixed usage to collect ra trace files (bsc#1189641).
Список пакетов
Image SLES12-SP4-SAP-Azure
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-Azure-BYOS
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-Azure-LI-BYOS-Production
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-EC2-HVM
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-EC2-HVM-BYOS
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-GCE
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-GCE-BYOS
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP5-Azure-SAP-BYOS
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP5-Azure-SAP-On-Demand
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP5-EC2-SAP-BYOS
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP5-EC2-SAP-On-Demand
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP5-GCE-SAP-BYOS
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP5-GCE-SAP-On-Demand
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP5-OCI-BYOS-SAP-BYOS
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
SUSE Linux Enterprise High Availability Extension 12 SP4
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
SUSE Linux Enterprise High Availability Extension 12 SP5
crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Ссылки
- Link for SUSE-SU-2021:3121-1
- E-Mail link for SUSE-SU-2021:3121-1
- SUSE Security Ratings
- SUSE Bug 1179999
- SUSE Bug 1189641
- SUSE CVE CVE-2020-35459 page
Описание
An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.
Затронутые продукты
Image SLES12-SP4-SAP-Azure-BYOS:crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-Azure-BYOS:crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:crmsh-4.1.1+git.1630047134.803a70f2-2.65.1
Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:crmsh-scripts-4.1.1+git.1630047134.803a70f2-2.65.1
Ссылки
- CVE-2020-35459
- SUSE Bug 1179999