Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 584
Alerts This Week
Warning Icon 1 584

SUSE: 2018:2899-1 Important: SMT Authentication Bypass and SQL Injection

suse
Calendar Grey September 27, 2018
Scroller Suse
SUSE Security Update: Security update for smt ______________________________________________________
An update that solves three vulnerabilities and has two fixes is now available

Summary

This update for smt to 2.0.34 fixes the following issues: These security issues were fixed: - CVE-2018-12471: Xml External Entity processing in the RegistrationSharing modules allowed to read arbitrary file read (bsc#1103809) - CVE-2018-12470: SQL injection in RegistrationSharing module allows remote attackers to run arbitary SQL statements (bsc#1103810) - CVE-2018-12472: Authentication bypass in sibling check facilitated further attacks on SMT (bsc#1104076) SUSE would like to thank Jake Miller for reporting these issues to us. This non-security issue was fixed: - More verbose incomplete registration logging (bsc#1072921, bsc#1074608) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

#1072921 #1074608 #1103809 #1103810 #1104076

Cross- CVE-2018-12470 CVE-2018-12471 CVE-2018-12472

Affected Products:

Subscription Management Tool for SUSE Linux Enterprise 11-SP3

https://www.suse.com/security/cve/CVE-2018-12470.html

https://www.suse.com/security/cve/CVE-2018-12471.html

https://www.suse.com/security/cve/CVE-2018-12472.html

https://bugzilla.suse.com/1072921

https://bugzilla.suse.com/1074608

https://bugzilla.suse.com/1103809

https://bugzilla.suse.com/1103810

https://bugzilla.suse.com/1104076

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2018:2899-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.