SUSE: 2018:2898-1 Important: Multiple Security Fixes for SMT and YAST2-SMT

suse

September 27, 2018

An update that solves three vulnerabilities and has 6 fixes is now available

Summary

This update for yast2-smt to 3.0.14 and smt to 3.0.37 fixes the following issues: These security issues were fixed in SMT: - CVE-2018-12471: Xml External Entity processing in the RegistrationSharing modules allowed to read arbitrary file read (bsc#1103809). - CVE-2018-12470: SQL injection in RegistrationSharing module allows remote attackers to run arbitrary SQL statements (bsc#1103810). - CVE-2018-12472: Authentication bypass in sibling check facilitated further attacks on SMT (bsc#1104076). SUSE would like to thank Jake Miller for reporting these issues to us. These non-security issues were fixed in SMT: - Fix cron jobs randomization (bsc#1097560) - Fix duplicate migration paths (bsc#1097824) This non-security issue was fixed in yast2-smt: - Remove cron job rescheduling (bsc#1097560)

Topics Covered

security advisory sql injection important suse authentication bypass yast2-smt smt

References

#1006984 #1006989 #1037811 #1097560 #1097824

#1103809 #1103810 #1104076 #977043

Cross- CVE-2018-12470 CVE-2018-12471 CVE-2018-12472

Affected Products:

SUSE OpenStack Cloud 7

SUSE Linux Enterprise Server for SAP 12-SP2

SUSE Linux Enterprise Server for SAP 12-SP1

SUSE Linux Enterprise Server 12-SP3

SUSE Linux Enterprise Server 12-SP2-LTSS

SUSE Linux Enterprise Server 12-SP1-LTSS

SUSE Linux Enterprise Module for Public Cloud 12

SUSE Enterprise Storage 4

https://www.suse.com/security/cve/CVE-2018-12470.html

https://www.suse.com/security/cve/CVE-2018-12471.html

https://www.suse.com/security/cve/CVE-2018-12472.html

https://bugzilla.suse.com/1006984

https://bugzilla.suse.com/1006989

https://bugzilla.suse.com/1037811

https://bugzilla.suse.com/1097560

Severity

important

Lowest

Low

Medium

High

Critical

Announcement ID: SUSE-SU-2018:2898-1

Rating: important

Topics Covered

security advisory sql injection important suse authentication bypass yast2-smt smt

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

SUSE: 2018:2898-1 Important: Multiple Security Fixes for SMT and YAST2-SMT

Summary

Topics Covered

References

Topics Covered

Get the latest News and Insights

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

SUSE: 2018:2898-1 Important: Multiple Security Fixes for SMT and YAST2-SMT

Summary

Topics Covered

References

Topics Covered

Get the latest News and Insights

Related Articles

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!