Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
100
security advisoryimportantSUSE LinuxRHEL: 2023:4598-2 Critical: libcurl Buffer Overflow Vulnerability
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for libostree ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:3671-1 Rating: important References: #1201770 Cross-References: CVE-2014-9862 CVSS scores: CVE-2014-9862 (NVD) : 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2014-9862 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libostree fixes the following issues: - CVE-2014-9862: Fixed arbitrary write on heap vulnerability (bsc#1201770). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-3671=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2022-3671=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-3671=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-3671=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libostree-1-1-2018.1-150000.4.3.1 libostree-1-1-debuginfo-2018.1-150000.4.3.1 libostree-2018.1-150000.4.3.1 libostree-debuginfo-2018.1-150000.4.3.1 libostree-debugsource-2018.1-150000.4.3.1 libostree-devel-2018.1-150000.4.3.1 typelib-1_0-OSTree-1_0-2018.1-150000.4.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libostree-1-1-2018.1-150000.4.3.1 libostree-1-1-debuginfo-2018.1-150000.4.3.1 libostree-2018.1-150000.4.3.1 libostree-debuginfo-2018.1-150000.4.3.1 libostree-debugsource-2018.1-150000.4.3.1 libostree-devel-2018.1-150000.4.3.1 typelib-1_0-OSTree-1_0-2018.1-150000.4.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libostree-1-1-2018.1-150000.4.3.1 libostree-1-1-debuginfo-2018.1-150000.4.3.1 libostree-2018.1-150000.4.3.1 libostree-debuginfo-2018.1-150000.4.3.1 libostree-debugsource-2018.1-150000.4.3.1 libostree-devel-2018.1-150000.4.3.1 typelib-1_0-OSTree-1_0-2018.1-150000.4.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libostree-1-1-2018.1-150000.4.3.1 libostree-1-1-debuginfo-2018.1-150000.4.3.1 libostree-2018.1-150000.4.3.1 libostree-debuginfo-2018.1-150000.4.3.1 libostree-debugsource-2018.1-150000.4.3.1 libostree-devel-2018.1-150000.4.3.1 typelib-1_0-OSTree-1_0-2018.1-150000.4.3.1 References: https://www.suse.com/security/cve/CVE-2014-9862.html https://bugzilla.suse.com/1201770 . An essential patch for libostree addresses a vulnerability related to memory management in SUSE, outlining remediation steps and listing impacted software.. libostree patch,SUSE update,arbitrary write,heap fix. . Severity: Important. LinuxSecurity.com Team
Oct 20, 2022
•Important
SuSE
100
security advisorySUSEimportant updateSUSE: 2022:3456-1 Important: Libostree Arbitrary Write Security Fix
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for libostree ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:3456-1 Rating: important References: #1201770 Cross-References: CVE-2014-9862 CVSS scores: CVE-2014-9862 (NVD) : 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2014-9862 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Storage 7.1 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.1 SUSE Manager Server 4.2 openSUSE Leap 15.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libostree fixes the following issues: - CVE-2014-9862: Fixed arbitrary write on heap vulnerability (bsc#1201770). PatchInstructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-3456=1 - SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-3456=1 - SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-3456=1 - SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-3456=1 - SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-3456=1 - SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-3456=1 - SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-3456=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2022-3456=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-3456=1 - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-3456=1 - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-3456=1 - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-3456=1 Package List: - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - openSUSE Leap 15.3 (aarch64 ppc64le x86_64): libostree-grub2-2020.8-150200.3.6.1 - SUSE Manager Server 4.1 (ppc64le s390x x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - SUSE Manager Retail Branch Server 4.1 (x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - SUSE Manager Proxy 4.1 (x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - SUSE Linux Enterprise Server 15-SP2-BCL (x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 - SUSE Enterprise Storage 7 (aarch64 x86_64): libostree-1-1-2020.8-150200.3.6.1 libostree-1-1-debuginfo-2020.8-150200.3.6.1 libostree-2020.8-150200.3.6.1 libostree-debuginfo-2020.8-150200.3.6.1 libostree-debugsource-2020.8-150200.3.6.1 libostree-devel-2020.8-150200.3.6.1 typelib-1_0-OSTree-1_0-2020.8-150200.3.6.1 References: https://www.suse.com/security/cve/CVE-2014-9862.html https://bugzilla.suse.com/1201770 . Keep your SUSE Linux secure by following our patch guide for libostree, including vulnerability checks, update steps, and post-update verification.. SUSE Update, libostree Security, Arbitrary Write Patch. . Severity: Important. LinuxSecurity.com Team
Sep 28, 2022
•Important
SuSE
100
security advisorypatchimportantSUSE 15-SP1: 2022:3455-1 Important: libostree Arbitrary Write
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for libostree ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:3455-1 Rating: important References: #1201770 Cross-References: CVE-2014-9862 CVSS scores: CVE-2014-9862 (NVD) : 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2014-9862 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server for SAP 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libostree fixes the following issues: - CVE-2014-9862: Fixed arbitrary write on heap vulnerability (bsc#1201770). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-3455=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-3455=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-3455=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-3455=1 - SUSE Linux Enterprise High PerformanceComputing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-3455=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2022-3455=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libostree-1-1-2018.9-150100.7.4.1 libostree-1-1-debuginfo-2018.9-150100.7.4.1 libostree-2018.9-150100.7.4.1 libostree-debuginfo-2018.9-150100.7.4.1 libostree-debugsource-2018.9-150100.7.4.1 libostree-devel-2018.9-150100.7.4.1 typelib-1_0-OSTree-1_0-2018.9-150100.7.4.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libostree-1-1-2018.9-150100.7.4.1 libostree-1-1-debuginfo-2018.9-150100.7.4.1 libostree-2018.9-150100.7.4.1 libostree-debuginfo-2018.9-150100.7.4.1 libostree-debugsource-2018.9-150100.7.4.1 libostree-devel-2018.9-150100.7.4.1 typelib-1_0-OSTree-1_0-2018.9-150100.7.4.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libostree-1-1-2018.9-150100.7.4.1 libostree-1-1-debuginfo-2018.9-150100.7.4.1 libostree-2018.9-150100.7.4.1 libostree-debuginfo-2018.9-150100.7.4.1 libostree-debugsource-2018.9-150100.7.4.1 libostree-devel-2018.9-150100.7.4.1 typelib-1_0-OSTree-1_0-2018.9-150100.7.4.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libostree-1-1-2018.9-150100.7.4.1 libostree-1-1-debuginfo-2018.9-150100.7.4.1 libostree-2018.9-150100.7.4.1 libostree-debuginfo-2018.9-150100.7.4.1 libostree-debugsource-2018.9-150100.7.4.1 libostree-devel-2018.9-150100.7.4.1 typelib-1_0-OSTree-1_0-2018.9-150100.7.4.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS(aarch64 x86_64): libostree-1-1-2018.9-150100.7.4.1 libostree-1-1-debuginfo-2018.9-150100.7.4.1 libostree-2018.9-150100.7.4.1 libostree-debuginfo-2018.9-150100.7.4.1 libostree-debugsource-2018.9-150100.7.4.1 libostree-devel-2018.9-150100.7.4.1 typelib-1_0-OSTree-1_0-2018.9-150100.7.4.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libostree-1-1-2018.9-150100.7.4.1 libostree-1-1-debuginfo-2018.9-150100.7.4.1 libostree-2018.9-150100.7.4.1 libostree-debuginfo-2018.9-150100.7.4.1 libostree-debugsource-2018.9-150100.7.4.1 libostree-devel-2018.9-150100.7.4.1 typelib-1_0-OSTree-1_0-2018.9-150100.7.4.1 - SUSE CaaS Platform 4.0 (x86_64): libostree-1-1-2018.9-150100.7.4.1 libostree-1-1-debuginfo-2018.9-150100.7.4.1 libostree-2018.9-150100.7.4.1 libostree-debuginfo-2018.9-150100.7.4.1 libostree-debugsource-2018.9-150100.7.4.1 libostree-devel-2018.9-150100.7.4.1 typelib-1_0-OSTree-1_0-2018.9-150100.7.4.1 References: https://www.suse.com/security/cve/CVE-2014-9862.html https://bugzilla.suse.com/1201770 . The latest libostree update addresses significant vulnerabilities in the SUSE distribution, rated as critical. Explore how to apply this update for better security. SUSE Security Update, libostree Patch, Important Update. . Severity: Important. LinuxSecurity.com Team
Sep 28, 2022
•Important
SuSE
100
security advisorymemory corruptionimportantSUSE: 2022:3094-1 important: Libostree Memory Corruption
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for libostree ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:3094-1 Rating: important References: #1201770 Cross-References: CVE-2014-9862 CVSS scores: CVE-2014-9862 (NVD) : 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2014-9862 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Basesystem 15-SP4 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libostree fixes the following issues: - CVE-2014-9862: Fixed a memory corruption issue that could be triggered when diffing binary files (bsc#1201770). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-3094=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP4: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP4-2022-3094=1 - SUSE Linux Enterprise Module for Basesystem 15-SP4: zypper in -t patchSUSE-SLE-Module-Basesystem-15-SP4-2022-3094=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): libostree-1-1-2021.6-150400.3.3.1 libostree-1-1-debuginfo-2021.6-150400.3.3.1 libostree-2021.6-150400.3.3.1 libostree-debuginfo-2021.6-150400.3.3.1 libostree-debugsource-2021.6-150400.3.3.1 libostree-devel-2021.6-150400.3.3.1 typelib-1_0-OSTree-1_0-2021.6-150400.3.3.1 - openSUSE Leap 15.4 (aarch64 ppc64le x86_64): libostree-grub2-2021.6-150400.3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (aarch64 ppc64le s390x x86_64): libostree-2021.6-150400.3.3.1 libostree-debuginfo-2021.6-150400.3.3.1 libostree-debugsource-2021.6-150400.3.3.1 libostree-devel-2021.6-150400.3.3.1 typelib-1_0-OSTree-1_0-2021.6-150400.3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64): libostree-1-1-2021.6-150400.3.3.1 libostree-1-1-debuginfo-2021.6-150400.3.3.1 libostree-debuginfo-2021.6-150400.3.3.1 libostree-debugsource-2021.6-150400.3.3.1 References: https://www.suse.com/security/cve/CVE-2014-9862.html https://bugzilla.suse.com/1201770 . This Fedora patch corrects a significant buffer overflow flaw in libarchive, boosting overall system protection substantially.. SUSE Security Update, Libostree Patch, Linux Desktop Security. . Severity: Important. LinuxSecurity.com Team
Sep 06, 2022
•Important
SuSE
202
security advisorycriticalimportantopenSUSE 15.2 Security Update: Important Flatpak Issues Critical DoS
An update that solves one vulnerability and has three fixes is now available. . openSUSE Security Update: Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0520-1 Rating: important References: #1133120 #1133124 #1175899 #1180996 Cross-References: CVE-2021-21261 CVSS scores: CVE-2021-21261 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-21261 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues: libostree: Update to version 2020.8 - Enable LTO. (bsc#1133120) - This update contains scalability improvements and bugfixes. - Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile. - Summaries and delta have been reworked to allow more fine-grained fetching. - Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures. - Static deltas can now be signed to more easily support offline verification. - There's now support for multiple initramfs images; Is it possible to have a "main" initramfs image and a secondary one which represents local configuration. - The documentation is now moved to https://ostreedev.github.io/ostree/ - Fix for an assertion failure when upgrading from systems before ostree supported devicetree. - ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts. - ostree nowsupports `/` and `/boot` being on the same filesystem. - Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file. - Fix a regression 2020.4 where the "readonly sysroot" changes incorrectly left the sysroot read-only on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least). - The default dracut config now enables reproducibility. - There is a new ostree admin unlock `--transient`. This should to be a foundation for further support for "live" updates. - New `ed25519` signing support, powered by `libsodium`. - stree commit gained a new `--base` argument, which significantly simplifies constructing "derived" commits, particularly for systems using SELinux. - Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the `readonly=true` flag in the repo config is recommended. - Several fixes in locking for the temporary "staging" directories OSTree creates, particularly on NFS. - A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS. - Several fixes and enhancements made for "collection" pulls including a new `--mirror` option. - The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics on all executables. - Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying. - Stop invalid usage of `%_libexecdir`: + Use `%{_prefix}/lib` where appropriate. + Use `_systemdgeneratordir` for the systemd-generators. + Define `_dracutmodulesdir`based on `dracut.pc`. Add BuildRequires(dracut) for this to work. xdg-desktop-portal: Update to version 1.8.0: - Ensure systemd rpm macros are called at install/uninstall times for systemd user services. - Add BuildRequires on systemd-rpm-macros. - openuri: - Allow skipping the chooser for more URL tyles - Robustness fixes - filechooser: - Return the current filter - Add a "directory" option - Document the "writable" option - camera: - Make the client node visible - Don't leak pipewire proxy - Fix file descriptor leaks - Testsuite improvements - Updated translations. - document: - Reduce the use of open fds - Add more tests and fix issues they found - Expose directories with their proper name - Support exporting directories - New fuse implementation - background: Avoid a segfault - screencast: Require pipewire 0.3 - Better support for snap and toolbox - Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect - Fixes for `%_libexecdir` changing to `/usr/libexec` xdg-desktop-portal-gtk: Update to version 1.8.0: - filechooser: - Return the current filter - Handle the "directory" option to select directories - Only show preview when we have an image - screenshot: Fix cancellation - appchooser: Avoid a crash - wallpaper: - Properly preview placement settings - Drop the lockscreen option - printing: Improve the notification - Updated translations. - settings: Fall back to gsettings for enable-animations - screencast: Support Mutter version to 3 (New pipewire api ver 3). flatpak: - Update to version 1.10.2 (jsc#SLE-17238, ECO-3148) - This is a security update which fixes a potential attack where a flatpak application could use custom formated `.desktop` file to gain access to files on the host system. - Fix memory leaks - Documentation and translations updates - Spawn portal better handles non-utf8 filenames - Fix flatpak build on systems with setuid bwrap - Fix crash on updating apps with no deploy data - Remove deprecated texinfo packaging macros. - Support for the new repo format which should make updates faster and download less data. - The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better login performance. - The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh. - Flatpak now finds the pulseaudio sockets better in uncommon configurations. - Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups. - Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead of unsetting it. - The spawn portal now has an option to share the pid namespace with the sub-sandbox. - This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the "flatpak run" command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261) - Fix support for ppc64. - Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package. - Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124) - Fixed progress reporting for OCI and extra-data. - The in-memory summary cache is more efficient. - Fixed authentication getting stuck in a loop in some cases. - Fixed authentication error reporting. - Extract OCI info for runtimes as well as apps. - Fixed crash if anonymous authentication fails and `-y` is specified. - flatpak info now only looks at the specified installation if one is specified. - Better error reporting for server HTTP errors during download. - Uninstall now removes applications before the runtime it depends on. - Avoid updating metadata from the remote when uninstalling. - FlatpakTransaction now verifies all passed in refs to avoid. - Added validation of collection id settings for remotes. - Fix seccomp filters on s390. - Robustness fixes to the spawn portal. - Fix support for masking update in the system installation. - Better support for distros with uncommon models of merged `/usr`. - Cache responses from localed/AccountService. - Fix hangs in cases where `xdg-dbus-proxy` fails to start. - Fix double-free in cups socket detection. - OCI authenticator now doesn't ask for auth in case of http errors. - Fix invalid usage of `%{_libexecdir}` to reference systemd directories. - Fixes for `%_libexecdir` changing to `/usr/libexec` - Avoid calling authenticator in update if ref didn't change - Don't fail transaction if ref is already installed (after transaction start) - Fix flatpak run handling of userns in the `--device=all` case - Fix handling of extensions from different remotes - Fix flatpak run `--no-session-bus` - `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands. - Now the host timezone data is always exposed, fixing several apps that had timezone issues. - There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos. - By default the `gdm env.d` file is no longer installed because the systemd generators work better. - `create-usb` now exports partial commits by default - Fix handling of docker media types in oci remotes - Fix subjects in `remote-info --log` output - This release is also able to host flatpak images on e.g. docker hub. This update was imported from theSUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-520=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): libostree-1-1-2020.8-lp152.2.3.1 libostree-1-1-debuginfo-2020.8-lp152.2.3.1 libostree-2020.8-lp152.2.3.1 libostree-debuginfo-2020.8-lp152.2.3.1 libostree-debugsource-2020.8-lp152.2.3.1 libostree-devel-2020.8-lp152.2.3.1 libostree-grub2-2020.8-lp152.2.3.1 typelib-1_0-OSTree-1_0-2020.8-lp152.2.3.1 - openSUSE Leap 15.2 (x86_64): flatpak-1.10.2-lp152.3.6.1 flatpak-debuginfo-1.10.2-lp152.3.6.1 flatpak-debugsource-1.10.2-lp152.3.6.1 flatpak-devel-1.10.2-lp152.3.6.1 flatpak-zsh-completion-1.10.2-lp152.3.6.1 libflatpak0-1.10.2-lp152.3.6.1 libflatpak0-debuginfo-1.10.2-lp152.3.6.1 system-user-flatpak-1.10.2-lp152.3.6.1 typelib-1_0-Flatpak-1_0-1.10.2-lp152.3.6.1 xdg-desktop-portal-1.8.0-lp152.4.3.1 xdg-desktop-portal-debuginfo-1.8.0-lp152.4.3.1 xdg-desktop-portal-debugsource-1.8.0-lp152.4.3.1 xdg-desktop-portal-devel-1.8.0-lp152.4.3.1 xdg-desktop-portal-gtk-1.8.0-lp152.2.3.1 xdg-desktop-portal-gtk-debuginfo-1.8.0-lp152.2.3.1 xdg-desktop-portal-gtk-debugsource-1.8.0-lp152.2.3.1 - openSUSE Leap 15.2 (noarch): xdg-desktop-portal-gtk-lang-1.8.0-lp152.2.3.1 xdg-desktop-portal-lang-1.8.0-lp152.4.3.1 References: https://www.suse.com/security/cve/CVE-2021-21261.html https://bugzilla.suse.com/1133120 https://bugzilla.suse.com/1133124 https://bugzilla.suse.com/1175899 https://bugzilla.suse.com/1180996 . A recent patch tackles an urgent vulnerability in openSUSE, affecting the flatpak and xdg-desktop-portal modules.. openSUSE Security Update, Flatpak Issue,Libostree Update. . Severity: Important. LinuxSecurity.com Team
Apr 09, 2021
•Important
OpenSUSE
100
security advisoryDoSimportantSUSE: 2021:1094-1 Important Flatpak DoS Risk Security Update
An update that solves one vulnerability, contains one feature and has three fixes is now available. . SUSE Security Update: Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1094-1 Rating: important References: #1133120 #1133124 #1175899 #1180996 SLE-7171 Cross-References: CVE-2021-21261 CVSS scores: CVE-2021-21261 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-21261 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has three fixes is now available. Description: This update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk fixes the following issues: libostree: Update to version 2020.8 - Enable LTO. (bsc#1133120) - This update contains scalability improvements and bugfixes. - Caching-related HTTP headers are now supported on summaries and signatures, so that they do not have to be re-downloaded if not changed in the meanwhile. - Summaries and delta have been reworked to allow more fine-grained fetching. - Fixes several bugs related to atomic variables, HTTP timeouts, and 32-bit architectures. - Static deltas can now be signed to more easily support offline verification. - There's now support for multiple initramfs images; Is it possible to have a "main" initramfs image and a secondary one which represents local configuration. - The documentation is now moved to https://ostreedev.github.io/ostree/ - Fix for an assertion failure when upgradingfrom systems before ostree supported devicetree. - ostree no longer hardlinks zero sized files to avoid hitting filesystem maximum link counts. - ostree now supports `/` and `/boot` being on the same filesystem. - Improvements to the GObject Introspection metadata, some (cosmetic) static analyzer fixes, a fix for the immutable bit on s390x, dropping a deprecated bit in the systemd unit file. - Fix a regression 2020.4 where the "readonly sysroot" changes incorrectly left the sysroot read-only on systems that started out with a read-only `/` (most of them, e.g. Fedora Silverblue/IoT at least). - The default dracut config now enables reproducibility. - There is a new ostree admin unlock `--transient`. This should to be a foundation for further support for "live" updates. - New `ed25519` signing support, powered by `libsodium`. - stree commit gained a new `--base` argument, which significantly simplifies constructing "derived" commits, particularly for systems using SELinux. - Handling of the read-only sysroot was reimplemented to run in the initramfs and be more reliable. Enabling the `readonly=true` flag in the repo config is recommended. - Several fixes in locking for the temporary "staging" directories OSTree creates, particularly on NFS. - A new `timestamp-check-from-rev` option was added for pulls, which makes downgrade protection more reliable and will be used by Fedora CoreOS. - Several fixes and enhancements made for "collection" pulls including a new `--mirror` option. - The ostree commit command learned a new `--mode-ro-executables` which enforces `W^R` semantics on all executables. - Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE` to help standardize the architecture of the OSTree commit. This could be used on the client side for example to sanity-check that the commit matches the architecture of the machine before deploying. - Stopinvalid usage of `%_libexecdir`: + Use `%{_prefix}/lib` where appropriate. + Use `_systemdgeneratordir` for the systemd-generators. + Define `_dracutmodulesdir` based on `dracut.pc`. Add BuildRequires(dracut) for this to work. xdg-desktop-portal: Update to version 1.8.0: - Ensure systemd rpm macros are called at install/uninstall times for systemd user services. - Add BuildRequires on systemd-rpm-macros. - openuri: - Allow skipping the chooser for more URL tyles - Robustness fixes - filechooser: - Return the current filter - Add a "directory" option - Document the "writable" option - camera: - Make the client node visible - Don't leak pipewire proxy - Fix file descriptor leaks - Testsuite improvements - Updated translations. - document: - Reduce the use of open fds - Add more tests and fix issues they found - Expose directories with their proper name - Support exporting directories - New fuse implementation - background: Avoid a segfault - screencast: Require pipewire 0.3 - Better support for snap and toolbox - Require `/usr/bin/fusermount`: `xdg-document-portal` calls out to the binary. (bsc#1175899) Without it, files or dirs can be selected, but whatever is done with or in them, will not have any effect - Fixes for `%_libexecdir` changing to `/usr/libexec` xdg-desktop-portal-gtk: Update to version 1.8.0: - filechooser: - Return the current filter - Handle the "directory" option to select directories - Only show preview when we have an image - screenshot: Fix cancellation - appchooser: Avoid a crash - wallpaper: - Properly preview placement settings - Drop the lockscreen option - printing: Improve the notification - Updated translations. - settings: Fall back to gsettings for enable-animations - screencast: Support Mutter version to 3 (New pipewire api ver 3). flatpak: - Update to version 1.10.2(jsc#SLE-17238, ECO-3148) - This is a security update which fixes a potential attack where a flatpak application could use custom formated `.desktop` file to gain access to files on the host system. - Fix memory leaks - Documentation and translations updates - Spawn portal better handles non-utf8 filenames - Fix flatpak build on systems with setuid bwrap - Fix crash on updating apps with no deploy data - Remove deprecated texinfo packaging macros. - Support for the new repo format which should make updates faster and download less data. - The systemd generator snippets now call flatpak `--print-updated-env` in place of a bunch of shell for better login performance. - The `.profile` snippets now disable GVfs when calling flatpak to avoid spawning a gvfs daemon when logging in via ssh. - Flatpak now finds the pulseaudio sockets better in uncommon configurations. - Sandboxes with network access it now also has access to the `systemd-resolved` socket to do dns lookups. - Flatpak supports unsetting environment variables in the sandbox using `--unset-env`, and `--env=FOO=` now sets FOO to the empty string instead of unsetting it. - The spawn portal now has an option to share the pid namespace with the sub-sandbox. - This security update fixes a sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the "flatpak run" command when spawning a sub-sandbox (bsc#1180996, CVE-2021-21261) - Fix support for ppc64. - Move flatpak-bisect and flatpak-coredumpctl to devel subpackage, allow to remove python3 dependency on main package. - Enable LTO as gobject-introspection works fine with LTO. (bsc#1133124) - Fixed progress reporting for OCI and extra-data. - The in-memory summary cache is more efficient. - Fixed authentication getting stuck in a loop in some cases. - Fixed authentication error reporting. - Extract OCI info forruntimes as well as apps. - Fixed crash if anonymous authentication fails and `-y` is specified. - flatpak info now only looks at the specified installation if one is specified. - Better error reporting for server HTTP errors during download. - Uninstall now removes applications before the runtime it depends on. - Avoid updating metadata from the remote when uninstalling. - FlatpakTransaction now verifies all passed in refs to avoid. - Added validation of collection id settings for remotes. - Fix seccomp filters on s390. - Robustness fixes to the spawn portal. - Fix support for masking update in the system installation. - Better support for distros with uncommon models of merged `/usr`. - Cache responses from localed/AccountService. - Fix hangs in cases where `xdg-dbus-proxy` fails to start. - Fix double-free in cups socket detection. - OCI authenticator now doesn't ask for auth in case of http errors. - Fix invalid usage of `%{_libexecdir}` to reference systemd directories. - Fixes for `%_libexecdir` changing to `/usr/libexec` - Avoid calling authenticator in update if ref didn't change - Don't fail transaction if ref is already installed (after transaction start) - Fix flatpak run handling of userns in the `--device=all` case - Fix handling of extensions from different remotes - Fix flatpak run `--no-session-bus` - `FlatpakTransaction` has a new signal `install-authenticator` which clients can handle to install authenticators needed for the transaction. This is done in the CLI commands. - Now the host timezone data is always exposed, fixing several apps that had timezone issues. - There's a new systemd unit (not installed by default) to automatically detect plugged in usb sticks with sideload repos. - By default the `gdm env.d` file is no longer installed because the systemd generators work better. - `create-usb` now exports partial commits by default - Fix handling of docker media types inoci remotes - Fix subjects in `remote-info --log` output - This release is also able to host flatpak images on e.g. docker hub. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1094=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1094=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): flatpak-1.10.2-4.6.1 flatpak-debuginfo-1.10.2-4.6.1 flatpak-debugsource-1.10.2-4.6.1 flatpak-devel-1.10.2-4.6.1 flatpak-zsh-completion-1.10.2-4.6.1 libflatpak0-1.10.2-4.6.1 libflatpak0-debuginfo-1.10.2-4.6.1 libostree-2020.8-3.3.2 libostree-debuginfo-2020.8-3.3.2 libostree-debugsource-2020.8-3.3.2 libostree-devel-2020.8-3.3.2 system-user-flatpak-1.10.2-4.6.1 typelib-1_0-Flatpak-1_0-1.10.2-4.6.1 typelib-1_0-OSTree-1_0-2020.8-3.3.2 xdg-desktop-portal-1.8.0-5.3.2 xdg-desktop-portal-debuginfo-1.8.0-5.3.2 xdg-desktop-portal-debugsource-1.8.0-5.3.2 xdg-desktop-portal-devel-1.8.0-5.3.2 xdg-desktop-portal-gtk-1.8.0-3.3.1 xdg-desktop-portal-gtk-debuginfo-1.8.0-3.3.1 xdg-desktop-portal-gtk-debugsource-1.8.0-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch): xdg-desktop-portal-gtk-lang-1.8.0-3.3.1 xdg-desktop-portal-lang-1.8.0-5.3.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libostree-1-1-2020.8-3.3.2 libostree-1-1-debuginfo-2020.8-3.3.2 libostree-debuginfo-2020.8-3.3.2 libostree-debugsource-2020.8-3.3.2 References: https://www.suse.com/security/cve/CVE-2021-21261.html https://bugzilla.suse.com/1133120 https://bugzilla.suse.com/1133124 https://bugzilla.suse.com/1175899 https://bugzilla.suse.com/1180996 . Urgent security patch for SUSE targeting a sandbox breach flaw within flatpak and associated components.. flatpak security update, DoS risk fix, SUSE libostree update. . Severity: Important. LinuxSecurity.com Team
Apr 07, 2021
•Important
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!