SUSE-SU-2023:4527-1

Опубликовано: 22 нояб. 2023

Источник: suse-cvrf

Описание

Security update for maven, maven-resolver, sbt, xmvn

This update for maven, maven-resolver, sbt, xmvn fixes the following issues:

CVE-2023-46122: Fixed an arbitrary file write when extracting a crafted zip file with sbt (bsc#1216529).
Upgraded maven to version 3.9.4
Upgraded maven-resolver to version 1.9.15.

Список пакетов

Container bci/openjdk-devel:11

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

Container bci/openjdk-devel:17

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

Container bci/openjdk-devel:latest

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

SUSE Enterprise Storage 7.1

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

SUSE Linux Enterprise Module for Development Tools 15 SP4

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

SUSE Linux Enterprise Module for Development Tools 15 SP5

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

SUSE Linux Enterprise Module for Package Hub 15 SP5

sbt-0.13.18-150200.4.16.1

sbt-bootstrap-0.13.18-150200.4.16.1

SUSE Linux Enterprise Server 15 SP2-LTSS

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

SUSE Linux Enterprise Server 15 SP3-LTSS

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

SUSE Linux Enterprise Server for SAP Applications 15 SP2

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

SUSE Linux Enterprise Server for SAP Applications 15 SP3

maven-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

openSUSE Leap 15.4

maven-3.9.4-150200.4.18.1

maven-javadoc-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-1.9.15-150200.3.14.2

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-javadoc-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-test-util-1.9.15-150200.3.14.2

maven-resolver-transport-classpath-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

sbt-0.13.18-150200.4.16.1

sbt-bootstrap-0.13.18-150200.4.16.1

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-connector-javadoc-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-mojo-javadoc-4.2.0-150200.3.14.1

xmvn-parent-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

xmvn-tools-javadoc-4.2.0-150200.3.14.1

openSUSE Leap 15.5

maven-3.9.4-150200.4.18.1

maven-javadoc-3.9.4-150200.4.18.1

maven-lib-3.9.4-150200.4.18.1

maven-resolver-1.9.15-150200.3.14.2

maven-resolver-api-1.9.15-150200.3.14.2

maven-resolver-connector-basic-1.9.15-150200.3.14.2

maven-resolver-impl-1.9.15-150200.3.14.2

maven-resolver-javadoc-1.9.15-150200.3.14.2

maven-resolver-named-locks-1.9.15-150200.3.14.2

maven-resolver-spi-1.9.15-150200.3.14.2

maven-resolver-test-util-1.9.15-150200.3.14.2

maven-resolver-transport-classpath-1.9.15-150200.3.14.2

maven-resolver-transport-file-1.9.15-150200.3.14.2

maven-resolver-transport-http-1.9.15-150200.3.14.2

maven-resolver-transport-wagon-1.9.15-150200.3.14.2

maven-resolver-util-1.9.15-150200.3.14.2

sbt-0.13.18-150200.4.16.1

sbt-bootstrap-0.13.18-150200.4.16.1

xmvn-4.2.0-150200.3.14.1

xmvn-api-4.2.0-150200.3.14.1

xmvn-connector-4.2.0-150200.3.14.1

xmvn-connector-javadoc-4.2.0-150200.3.14.1

xmvn-core-4.2.0-150200.3.14.1

xmvn-install-4.2.0-150200.3.14.1

xmvn-minimal-4.2.0-150200.3.14.1

xmvn-mojo-4.2.0-150200.3.14.1

xmvn-mojo-javadoc-4.2.0-150200.3.14.1

xmvn-parent-4.2.0-150200.3.14.1

xmvn-resolve-4.2.0-150200.3.14.1

xmvn-subst-4.2.0-150200.3.14.1

xmvn-tools-javadoc-4.2.0-150200.3.14.1

Ссылки

https://www.suse.com/support/update/announcement/2023/suse-su-20234527-1/
Link for SUSE-SU-2023:4527-1
https://lists.suse.com/pipermail/sle-security-updates/2023-November/017163.html
E-Mail link for SUSE-SU-2023:4527-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1162112
SUSE Bug 1162112
https://bugzilla.suse.com/1216529
SUSE Bug 1216529
https://www.suse.com/security/cve/CVE-2023-46122/
SUSE CVE CVE-2023-46122 page

Описание

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.

Затронутые продукты

Container bci/openjdk-devel:11:maven-3.9.4-150200.4.18.1

Container bci/openjdk-devel:11:maven-lib-3.9.4-150200.4.18.1

Container bci/openjdk-devel:11:maven-resolver-api-1.9.15-150200.3.14.2

Container bci/openjdk-devel:11:maven-resolver-connector-basic-1.9.15-150200.3.14.2

Ссылки

https://www.suse.com/security/cve/CVE-2023-46122.html
CVE-2023-46122
https://bugzilla.suse.com/1216529
SUSE Bug 1216529

SUSE-SU-2023:4527-1

Описание

Список пакетов

Container bci/openjdk-devel:11

Container bci/openjdk-devel:17

Container bci/openjdk-devel:latest

SUSE Enterprise Storage 7.1

SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS

SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS

SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS

SUSE Linux Enterprise Module for Development Tools 15 SP4

SUSE Linux Enterprise Module for Development Tools 15 SP5

SUSE Linux Enterprise Module for Package Hub 15 SP5

SUSE Linux Enterprise Server 15 SP2-LTSS

SUSE Linux Enterprise Server 15 SP3-LTSS

SUSE Linux Enterprise Server for SAP Applications 15 SP2

SUSE Linux Enterprise Server for SAP Applications 15 SP3

openSUSE Leap 15.4

openSUSE Leap 15.5

Ссылки

Уязвимость: CVE-2023-46122

Описание

Затронутые продукты

Ссылки