Описание
Security update for supportutils
This update for supportutils fixes the following issues:
Security issues fixed:
- CVE-2018-19640: Fixed an issue where users could kill arbitrary processes (bsc#1118463).
- CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460).
- CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462).
- CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776).
Other issues fixed:
- Fixed invalid exit code commands (bsc#1125666).
- Included additional SUSE separation (bsc#1125609).
- Merged added listing of locked packes by zypper.
- Exclude pam.txt per GDPR by default (bsc#1112461).
- Clarified -x functionality in supportconfig(8) (bsc#1115245).
- udev service and provide the whole journal content in supportconfig (bsc#1051797).
- supportconfig collects tuned profile settings (bsc#1071545).
- sfdisk -d no disk device specified (bsc#1043311).
- Added vulnerabilites status check in basic-health.txt (bsc#1105849).
- Added only sched_domain from cpu0.
- Blacklist sched_domain from proc.txt (bsc#1046681).
- Added firewall-cmd info.
- Add ls -lA --time-style=long-iso /etc/products.d/
- Dump lsof errors.
- Added corosync status to ha_info.
- Dump find errors in ib_info.
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.0
Ссылки
- E-Mail link for openSUSE-SU-2019:0293-1
- SUSE Security Ratings
- SUSE Bug 1043311
- SUSE Bug 1046681
- SUSE Bug 1051797
- SUSE Bug 1071545
- SUSE Bug 1105849
- SUSE Bug 1112461
- SUSE Bug 1115245
- SUSE Bug 1117776
- SUSE Bug 1118460
- SUSE Bug 1118462
- SUSE Bug 1118463
- SUSE Bug 1125609
- SUSE Bug 1125666
- SUSE CVE CVE-2018-19637 page
- SUSE CVE CVE-2018-19638 page
- SUSE CVE CVE-2018-19639 page
- SUSE CVE CVE-2018-19640 page
Описание
Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection
Затронутые продукты
Ссылки
- CVE-2018-19637
- SUSE Bug 1063385
- SUSE Bug 1117776
Описание
In supportutils, before version 3.1-5.7.1 and if pacemaker is installed on the system, an unprivileged user could have overwritten arbitrary files in the directory that is used by supportutils to collect the log files.
Затронутые продукты
Ссылки
- CVE-2018-19638
- SUSE Bug 1063385
- SUSE Bug 1118460
- SUSE Bug 1118462
- SUSE Bug 1118463
Описание
If supportutils before version 3.1-5.7.1 is run with -v to perform rpm verification and the attacker manages to manipulate the rpm listing (e.g. with CVE-2018-19638) he can execute arbitrary commands as root.
Затронутые продукты
Ссылки
- CVE-2018-19639
- SUSE Bug 1063385
- SUSE Bug 1118460
- SUSE Bug 1118462
Описание
If the attacker manages to create files in the directory used to collect log files in supportutils before version 3.1-5.7.1 (e.g. with CVE-2018-19638) he can kill arbitrary processes on the local machine.
Затронутые продукты
Ссылки
- CVE-2018-19640
- SUSE Bug 1063385
- SUSE Bug 1118463