SUSE Security Update: Security update for libeconf, shadow and util-linux
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0727-2
Rating: moderate
References: #1188507 #1192954 #1193632 #1194976 SLE-23384
SLE-23402
Cross-References: CVE-2021-3995 CVE-2021-3996
CVSS scores:
CVE-2021-3995 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-3996 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Linux Enterprise Micro 5.2
______________________________________________________________________________
An update that solves two vulnerabilities, contains two
features and has two fixes is now available.
Description:
This security update for libeconf, shadow and util-linux fix the following
issues:
libeconf:
- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by
'util-linux' and 'shadow' to fix autoyast handling of security related
parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
Issues fixed in libeconf:
- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
- Fixed different issues while writing string values to file.
- Writing comments to file too.
- Fixed crash while merging values.
- Added econftool cat option (#146)
- new API call: econf_readDirsHistory (showing ALL locations)
- new API call: econf_getPath (absolute path of the configuration file)
- Man pages libeconf.3 and econftool.8.
- Handling multiline strings.
- Added libeconf_ext which returns more information like line_nr,
comments, path of the configuration file,...
- Econftool, an command line interface for handling configuration files.
- Generating HTML API documentation with doxygen.
- Improving error handling and semantic file check.
- Joining entries with the same key to one single entry if env variable
ECONF_JOIN_SAME_ENTRIES has been set.
shadow:
- The legacy code does not support /etc/login.defs.d used by YaST. Enable
libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
util-linux:
- The legacy code does not support /etc/login.defs.d used by YaST. Enable
libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
- Allow use of larger values for start sector to prevent `blockdev
--report` aborting (bsc#1188507)
- Fixed `blockdev --report` using non-space characters as a field
separator (bsc#1188507)
- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount.
(bsc#1194976)
- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount.
(bsc#1194976)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Micro 5.2:
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-727=1
Package List:
- SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):
libblkid1-2.36.2-150300.4.14.3
libblkid1-debuginfo-2.36.2-150300.4.14.3
libeconf-debugsource-0.4.4+git20220104.962774f-150300.3.6.2
libeconf0-0.4.4+git20220104.962774f-150300.3.6.2
libeconf0-debuginfo-0.4.4+git20220104.962774f-150300.3.6.2
libfdisk1-2.36.2-150300.4.14.3
libfdisk1-debuginfo-2.36.2-150300.4.14.3
libmount1-2.36.2-150300.4.14.3
libmount1-debuginfo-2.36.2-150300.4.14.3
libsmartcols1-2.36.2-150300.4.14.3
libsmartcols1-debuginfo-2.36.2-150300.4.14.3
libuuid1-2.36.2-150300.4.14.3
libuuid1-debuginfo-2.36.2-150300.4.14.3
shadow-4.8.1-150300.4.3.8
shadow-debuginfo-4.8.1-150300.4.3.8
shadow-debugsource-4.8.1-150300.4.3.8
util-linux-2.36.2-150300.4.14.3
util-linux-debuginfo-2.36.2-150300.4.14.3
util-linux-debugsource-2.36.2-150300.4.14.3
util-linux-systemd-2.36.2-150300.4.14.2
util-linux-systemd-debuginfo-2.36.2-150300.4.14.2
util-linux-systemd-debugsource-2.36.2-150300.4.14.2
- SUSE Linux Enterprise Micro 5.2 (noarch):
login_defs-4.8.1-150300.4.3.8
References:
https://www.suse.com/security/cve/CVE-2021-3995.html
https://www.suse.com/security/cve/CVE-2021-3996.html
https://bugzilla.suse.com/1188507
https://bugzilla.suse.com/1192954
https://bugzilla.suse.com/1193632
https://bugzilla.suse.com/1194976
SUSE: 2022:0727-2 moderate: libeconf, shadow and util-linux
April 19, 2022
An update that solves two vulnerabilities, contains two features and has two fixes is now available
Summary
This security update for libeconf, shadow and util-linux fix the following issues: libeconf: - Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402) Issues fixed in libeconf: - Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157) - Fixed different issues while writing string values to file. - Writing comments to file too. - Fixed crash while merging values. - Added econftool cat option (#146) - new API call: econf_readDirsHistory (showing ALL locations) - new API call: econf_getPath (absolute path of the configuration file) - Man pages libeconf.3 and econftool.8. - Handling multiline strings. - Added libeconf_ext which returns more information like line_nr, comments, path of the configuration file,... - Econftool, an command line interface for handling configuration files. - Generating HTML API documentation with doxygen. - Improving error handling and semantic file check. - Joining entries with the same key to one single entry if env variable ECONF_JOIN_SAME_ENTRIES has been set. shadow: - The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402) util-linux: - The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402) - Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507) - Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507) - CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) - CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Micro 5.2: zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-727=1 Package List: - SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64): libblkid1-2.36.2-150300.4.14.3 libblkid1-debuginfo-2.36.2-150300.4.14.3 libeconf-debugsource-0.4.4+git20220104.962774f-150300.3.6.2 libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 libeconf0-debuginfo-0.4.4+git20220104.962774f-150300.3.6.2 libfdisk1-2.36.2-150300.4.14.3 libfdisk1-debuginfo-2.36.2-150300.4.14.3 libmount1-2.36.2-150300.4.14.3 libmount1-debuginfo-2.36.2-150300.4.14.3 libsmartcols1-2.36.2-150300.4.14.3 libsmartcols1-debuginfo-2.36.2-150300.4.14.3 libuuid1-2.36.2-150300.4.14.3 libuuid1-debuginfo-2.36.2-150300.4.14.3 shadow-4.8.1-150300.4.3.8 shadow-debuginfo-4.8.1-150300.4.3.8 shadow-debugsource-4.8.1-150300.4.3.8 util-linux-2.36.2-150300.4.14.3 util-linux-debuginfo-2.36.2-150300.4.14.3 util-linux-debugsource-2.36.2-150300.4.14.3 util-linux-systemd-2.36.2-150300.4.14.2 util-linux-systemd-debuginfo-2.36.2-150300.4.14.2 util-linux-systemd-debugsource-2.36.2-150300.4.14.2 - SUSE Linux Enterprise Micro 5.2 (noarch): login_defs-4.8.1-150300.4.3.8
References
#1188507 #1192954 #1193632 #1194976 SLE-23384
SLE-23402
Cross- CVE-2021-3995 CVE-2021-3996
CVSS scores:
CVE-2021-3995 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-3996 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Linux Enterprise Micro 5.2
https://www.suse.com/security/cve/CVE-2021-3995.html
https://www.suse.com/security/cve/CVE-2021-3996.html
https://bugzilla.suse.com/1188507
https://bugzilla.suse.com/1192954
https://bugzilla.suse.com/1193632
https://bugzilla.suse.com/1194976
Severity
Announcement ID: SUSE-SU-2022:0727-2
Rating: moderate
News
HOWTOs
About Us
Powered By
