What Are You Looking For?

Sign Up
   SUSE Security Update: Security update for smt, yast2-smt
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2898-1
Rating:             important
References:         #1006984 #1006989 #1037811 #1097560 #1097824 
                    #1103809 #1103810 #1104076 #977043 
Cross-References:   CVE-2018-12470 CVE-2018-12471 CVE-2018-12472
                   
Affected Products:
                    SUSE OpenStack Cloud 7
                    SUSE Linux Enterprise Server for SAP 12-SP2
                    SUSE Linux Enterprise Server for SAP 12-SP1
                    SUSE Linux Enterprise Server 12-SP3
                    SUSE Linux Enterprise Server 12-SP2-LTSS
                    SUSE Linux Enterprise Server 12-SP1-LTSS
                    SUSE Linux Enterprise Module for Public Cloud 12
                    SUSE Enterprise Storage 4
______________________________________________________________________________

   An update that solves three vulnerabilities and has 6 fixes
   is now available.

Description:

   This update for yast2-smt to 3.0.14 and smt to 3.0.37 fixes the following
   issues:

   These security issues were fixed in SMT:

   - CVE-2018-12471: Xml External Entity processing in the
     RegistrationSharing modules allowed to read arbitrary file read
     (bsc#1103809).
   - CVE-2018-12470: SQL injection in RegistrationSharing module allows
     remote attackers to run arbitrary SQL statements (bsc#1103810).
   - CVE-2018-12472: Authentication bypass in sibling check facilitated
     further attacks on SMT (bsc#1104076).

   SUSE would like to thank Jake Miller for reporting these issues to us.

   These non-security issues were fixed in SMT:

   - Fix cron jobs randomization (bsc#1097560)
   - Fix duplicate migration paths (bsc#1097824)

   This non-security issue was fixed in yast2-smt:

   - Remove cron job rescheduling (bsc#1097560)
   - Added missing translation marks (bsc#1037811)
   - Explicitly mention "Organization Credentials" (fate#321759)
   - Rearrange the SMT set-up dialog (bsc#977043)
   - Make the Filter button default (bsc#1006984)
   - Prevent exiting the repo selection dialog via hitting Enter in the
     repository filter (bsc#1006984)
   - report when error occurs during repo mirroring (bsc#1006989)
   - Use TextEntry-based filter for repos (fate#319777)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2056=1

   - SUSE Linux Enterprise Server for SAP 12-SP2:

      zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2056=1

   - SUSE Linux Enterprise Server for SAP 12-SP1:

      zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-2056=1

   - SUSE Linux Enterprise Server 12-SP3:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2056=1

   - SUSE Linux Enterprise Server 12-SP2-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2056=1

   - SUSE Linux Enterprise Server 12-SP1-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-2056=1

   - SUSE Linux Enterprise Module for Public Cloud 12:

      zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-2056=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2018-2056=1



Package List:

   - SUSE OpenStack Cloud 7 (s390x x86_64):

      res-signingkeys-3.0.37-52.23.6
      smt-3.0.37-52.23.6
      smt-debuginfo-3.0.37-52.23.6
      smt-debugsource-3.0.37-52.23.6
      smt-support-3.0.37-52.23.6

   - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):

      res-signingkeys-3.0.37-52.23.6
      smt-3.0.37-52.23.6
      smt-debuginfo-3.0.37-52.23.6
      smt-debugsource-3.0.37-52.23.6
      smt-support-3.0.37-52.23.6

   - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64):

      res-signingkeys-3.0.37-52.23.6
      smt-3.0.37-52.23.6
      smt-debuginfo-3.0.37-52.23.6
      smt-debugsource-3.0.37-52.23.6
      smt-support-3.0.37-52.23.6

   - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch):

      yast2-smt-3.0.14-10.6.2

   - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):

      res-signingkeys-3.0.37-52.23.6
      smt-3.0.37-52.23.6
      smt-debuginfo-3.0.37-52.23.6
      smt-debugsource-3.0.37-52.23.6
      smt-support-3.0.37-52.23.6

   - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):

      res-signingkeys-3.0.37-52.23.6
      smt-3.0.37-52.23.6
      smt-debuginfo-3.0.37-52.23.6
      smt-debugsource-3.0.37-52.23.6
      smt-support-3.0.37-52.23.6

   - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):

      res-signingkeys-3.0.37-52.23.6
      smt-3.0.37-52.23.6
      smt-debuginfo-3.0.37-52.23.6
      smt-debugsource-3.0.37-52.23.6
      smt-support-3.0.37-52.23.6

   - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch):

      yast2-smt-3.0.14-10.6.2

   - SUSE Linux Enterprise Module for Public Cloud 12 (aarch64 ppc64le s390x x86_64):

      smt-ha-3.0.37-52.23.6

   - SUSE Linux Enterprise Module for Public Cloud 12 (noarch):

      perl-File-Touch-0.11-3.2.2

   - SUSE Enterprise Storage 4 (x86_64):

      res-signingkeys-3.0.37-52.23.6
      smt-3.0.37-52.23.6
      smt-debuginfo-3.0.37-52.23.6
      smt-debugsource-3.0.37-52.23.6
      smt-support-3.0.37-52.23.6


References:

   https://www.suse.com/security/cve/CVE-2018-12470.html
   https://www.suse.com/security/cve/CVE-2018-12471.html
   https://www.suse.com/security/cve/CVE-2018-12472.html
   https://bugzilla.suse.com/1006984
   https://bugzilla.suse.com/1006989
   https://bugzilla.suse.com/1037811
   https://bugzilla.suse.com/1097560
   https://bugzilla.suse.com/1097824
   https://bugzilla.suse.com/1103809
   https://bugzilla.suse.com/1103810
   https://bugzilla.suse.com/1104076
   https://bugzilla.suse.com/977043

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates

SUSE: 2018:2898-1 important: smt, yast2-smt

September 27, 2018
An update that solves three vulnerabilities and has 6 fixes is now available

Summary

This update for yast2-smt to 3.0.14 and smt to 3.0.37 fixes the following issues: These security issues were fixed in SMT: - CVE-2018-12471: Xml External Entity processing in the RegistrationSharing modules allowed to read arbitrary file read (bsc#1103809). - CVE-2018-12470: SQL injection in RegistrationSharing module allows remote attackers to run arbitrary SQL statements (bsc#1103810). - CVE-2018-12472: Authentication bypass in sibling check facilitated further attacks on SMT (bsc#1104076). SUSE would like to thank Jake Miller for reporting these issues to us. These non-security issues were fixed in SMT: - Fix cron jobs randomization (bsc#1097560) - Fix duplicate migration paths (bsc#1097824) This non-security issue was fixed in yast2-smt: - Remove cron job rescheduling (bsc#1097560) - Added missing translation marks (bsc#1037811) - Explicitly mention "Organization Credentials" (fate#321759) - Rearrange the SMT set-up dialog (bsc#977043) - Make the Filter button default (bsc#1006984) - Prevent exiting the repo selection dialog via hitting Enter in the repository filter (bsc#1006984) - report when error occurs during repo mirroring (bsc#1006989) - Use TextEntry-based filter for repos (fate#319777) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2056=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2056=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-2056=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2056=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2056=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-2056=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-2056=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-2056=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): yast2-smt-3.0.14-10.6.2 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): yast2-smt-3.0.14-10.6.2 - SUSE Linux Enterprise Module for Public Cloud 12 (aarch64 ppc64le s390x x86_64): smt-ha-3.0.37-52.23.6 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): perl-File-Touch-0.11-3.2.2 - SUSE Enterprise Storage 4 (x86_64): res-signingkeys-3.0.37-52.23.6 smt-3.0.37-52.23.6 smt-debuginfo-3.0.37-52.23.6 smt-debugsource-3.0.37-52.23.6 smt-support-3.0.37-52.23.6

References

#1006984 #1006989 #1037811 #1097560 #1097824

#1103809 #1103810 #1104076 #977043

Cross- CVE-2018-12470 CVE-2018-12471 CVE-2018-12472

Affected Products:

SUSE OpenStack Cloud 7

SUSE Linux Enterprise Server for SAP 12-SP2

SUSE Linux Enterprise Server for SAP 12-SP1

SUSE Linux Enterprise Server 12-SP3

SUSE Linux Enterprise Server 12-SP2-LTSS

SUSE Linux Enterprise Server 12-SP1-LTSS

SUSE Linux Enterprise Module for Public Cloud 12

SUSE Enterprise Storage 4

https://www.suse.com/security/cve/CVE-2018-12470.html

https://www.suse.com/security/cve/CVE-2018-12471.html

https://www.suse.com/security/cve/CVE-2018-12472.html

https://bugzilla.suse.com/1006984

https://bugzilla.suse.com/1006989

https://bugzilla.suse.com/1037811

https://bugzilla.suse.com/1097560

https://bugzilla.suse.com/1097824

https://bugzilla.suse.com/1103809

https://bugzilla.suse.com/1103810

https://bugzilla.suse.com/1104076

https://bugzilla.suse.com/977043

Severity
Announcement ID: SUSE-SU-2018:2898-1
Rating: important

Related News

Krasue RAT Malware Hides on Linux Servers Using Embedded Rootkits

Dec 7, 2023

Kali vs. ParrotOS: 2 Versatile Linux Distros for Security Pros

Dec 9, 2023

Kali Linux 2023.4 Released With New Hacking Tools

Dec 6, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector
Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

Footer Logo