Explore top 10 tips to secure your open-source projects now. Read More
×tar-rs could be made to modify permissions on arbitrary directories.. ========================================================================== Ubuntu Security Notice USN-8138-1 April 01, 2026 rust-tar vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: tar-rs could be made to modify permissions on arbitrary directories. Software Description: - rust-tar: A tar archive reading/writing library for Rust Details: It was discovered that tar-rs incorrectly handled symlinks when unpacking a tar archive. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could use this issue to modify permissions of arbitrary directories outside the extraction root, and possibly escalate privileges. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 librust-tar-dev 0.4.43-4ubuntu0.1 Ubuntu 24.04 LTS librust-tar-dev 0.4.40-1ubuntu0.1 Ubuntu 22.04 LTS librust-tar+default-dev 0.4.37-3ubuntu0.1 librust-tar-dev 0.4.37-3ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8138-1 CVE-2026-33056 Package Information: https://launchpad.net/ubuntu/+source/rust-tar/0.4.43-4ubuntu0.1 https://launchpad.net/ubuntu/+source/rust-tar/0.4.40-1ubuntu0.1 https://launchpad.net/ubuntu/+source/rust-tar/0.4.37-3ubuntu0.1 . A critical rust-tar issue allows permission modifications on arbitrary directories. Update for Ubuntu systems to secure your environment.. rust-tar permissions issue, Ubuntu security advisory, privilege escalation Ubuntu, rust-tar vulnerability, Ubuntu update instructions. . Severity: Important. LinuxSecurity.com Team
Backport fixes for CVE-2024-6174 and CVE-2024-11584 cloud-init included the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. An unprivelege user could trigger hotplug-hook commands (CVE-2024-11584) When a non-x86 platform is detected, cloud-init granted root access to a. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-b93ee7b368 2025-07-30 01:21:50.253416+00:00 -------------------------------------------------------------------------------- Name : cloud-init Product : Fedora 42 Version : 24.2 Release : 5.fc42 URL : https://github.com/canonical/cloud-init Summary : Cloud instance init scripts Description : Cloud-init is a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install ssh keys and to let the user run various scripts. -------------------------------------------------------------------------------- Update Information: Backport fixes for CVE-2024-6174 and CVE-2024-11584 cloud-init included the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. An unprivelege user could trigger hotplug-hook commands (CVE-2024-11584) When a non-x86 platform is detected, cloud-init granted root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration (CVE-2024-6174) Note that the fix for CVE-2024-6174 includes a change that may break non-x86 OpenStack Nova users. Affected users may wish to use ConfigDrive as a workaround -------------------------------------------------------------------------------- ChangeLog: * Mon Jul 21 2025 Jeremy Cline - 24.2-5 - Backport fixes for CVE-2024-6174 and CVE-2024-11584 - cloud-init included the systemd socket unit cloud-init-hotplugd.socket withdefault SocketMode that grants 0666 permissions, making it world- writable. An unprivelege user could trigger hotplug-hook commands (CVE-2024-11584) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2375012 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2375012 [ 2 ] Bug #2375013 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2375013 [ 3 ] Bug #2375025 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2375025 [ 4 ] Bug #2375026 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2375026 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-b93ee7b368' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Brief introduction CVE-2023-6597 . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3948-1
Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. (CVE-2024-46544) . MGASA-2024-0315 - Updated apache-mod_jk packages fix security vulnerability Publication date: 27 Sep 2024 URL: https://advisories.mageia.org/MGASA-2024-0315.html Type: security Affected Mageia releases: 9 CVE: CVE-2024-46544 Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. (CVE-2024-46544) References: - https://bugs.mageia.org/show_bug.cgi?id=33586 - https://www.openwall.com/lists/oss-security/2024/09/23/1 - https://www.cve.org/CVERecord?id=CVE-2024-46544 SRPMS: - 9/core/apache-mod_jk-1.2.50-1.mga9 . Revised Nginx mod_proxy modules address vulnerabilities related to user permissions and configuration integrity.. apache mod_jk, permissions flaw, security update. . LinuxSecurity.com Team
* bsc#1218728 Cross-References: * CVE-2024-23301 . # Security update for rear116 Announcement ID: SUSE-SU-2024:0291-1 Rating: important References: * bsc#1218728 Cross-References: * CVE-2024-23301 CVSS scores: * CVE-2024-23301 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-23301 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: * SUSE Linux Enterprise High Availability Extension 12 SP5 * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 An update that solves one vulnerability can now be installed. ## Description: This update for rear116 fixes the following issues: * CVE-2024-23301: Corrected world-readable permissions for initrd, which could be an issue if it contains sensitive information (bsc#1218728). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-HA-12-SP5-2024-291=1 * SUSE Linux Enterprise High Availability Extension 12 SP5 zypper in -t patch SUSE-SLE-HA-12-SP5-2024-291=1 ## Package List: * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (noarch) * rear116-1.16-15.3.1 * SUSE Linux Enterprise High Availability Extension 12 SP5 (noarch) * rear116-1.16-15.3.1 ## References: * https://www.suse.com/security/cve/CVE-2024-23301.html * https://bugzilla.suse.com/show_bug.cgi?id=1218728 . The release of rear116 resolves a critical permissions vulnerability found in SUSE Linux Enterprise systems, which pertains to the unauthorized access of confidential information.. SUSE Linux Update,rear116 Security Fix,SUSE Vulnerability Management,Importance of Security Updates,Linux Enterprise Security. . Severity: Important.LinuxSecurity.com Team
* bsc#1218728 Cross-References: * CVE-2024-23301 . # Security update for rear1172a Announcement ID: SUSE-SU-2024:0292-1 Rating: important References: * bsc#1218728 Cross-References: * CVE-2024-23301 CVSS scores: * CVE-2024-23301 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-23301 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: * SUSE Linux Enterprise High Availability Extension 12 SP5 * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 An update that solves one vulnerability can now be installed. ## Description: This update for rear1172a fixes the following issues: * CVE-2024-23301: Corrected world-readable permissions for initrd, which could be an issue if it contains sensitive information (bsc#1218728). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-HA-12-SP5-2024-292=1 * SUSE Linux Enterprise High Availability Extension 12 SP5 zypper in -t patch SUSE-SLE-HA-12-SP5-2024-292=1 ## Package List: * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64) * rear1172a-1.17.2.a-5.3.1 * SUSE Linux Enterprise High Availability Extension 12 SP5 (x86_64) * rear1172a-1.17.2.a-5.3.1 ## References: * https://www.suse.com/security/cve/CVE-2024-23301.html * https://bugzilla.suse.com/show_bug.cgi?id=1218728 . The recent patch for rear1172a resolves significant access control vulnerabilities, ensuring the safeguarding of confidential information in SUSE systems.. SUSE Linux, rear1172a Security, Important Update, High Availability Security, Permissions Fix. . Severity: Important. LinuxSecurity.com Team
This update for slurm fixes the following issues: Update to slurm 23.02.6:. # Security update for slurm Announcement ID: SUSE-SU-2024:0284-1 Rating: important References: * bsc#1216869 * bsc#1217711 * bsc#1218046 * bsc#1218049 * bsc#1218050 * bsc#1218051 * bsc#1218053 Cross-References: * CVE-2023-49933 * CVE-2023-49935 * CVE-2023-49936 * CVE-2023-49937 * CVE-2023-49938 CVSS scores: * CVE-2023-49933 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2023-49933 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2023-49935 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2023-49935 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-49936 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H * CVE-2023-49936 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-49937 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H * CVE-2023-49937 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2023-49938 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2023-49938 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Affected Products: * HPC Module 15-SP5 * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Package Hub 15 15-SP5 An update that solves five vulnerabilities and has two security fixes can now be installed. ## Description: This update for slurm fixes the following issues: Update to slurm 23.02.6: Security fixes: * CVE-2023-49933: Prevent message extension attacks that could bypass the message hash. (bsc#1218046) * CVE-2023-49935: Prevent message hash bypass in slurmd which can allow an attacker to reuse root-level MUNGE tokens andescalate permissions. (bsc#1218049) * CVE-2023-49936: Prevent NULL pointer dereference on `size_valp` overflow. (bsc#1218050) * CVE-2023-49937: Prevent double-xfree() on error in `_unpack_node_reg_resp()`. (bsc#1218051) * CVE-2023-49938: Prevent modified `sbcast` RPCs from opening a file with the wrong group permissions. (bsc#1218053) Other fixes: * Add missing service file for slurmrestd (bsc#1217711). * Fix slurm upgrading to incompatible versions (bsc#1216869). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * HPC Module 15-SP5 zypper in -t patch SUSE-SLE-Module-HPC-15-SP5-2024-284=1 * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-284=1 * openSUSE Leap 15.5 zypper in -t patch SUSE-2024-284=1 openSUSE-SLE-15.5-2024-284=1 ## Package List: * HPC Module 15-SP5 (aarch64 x86_64) * slurm-sql-debuginfo-23.02.7-150500.5.15.1 * slurm-munge-23.02.7-150500.5.15.1 * slurm-cray-23.02.7-150500.5.15.1 * slurm-pam_slurm-debuginfo-23.02.7-150500.5.15.1 * slurm-slurmdbd-debuginfo-23.02.7-150500.5.15.1 * slurm-rest-23.02.7-150500.5.15.1 * slurm-torque-debuginfo-23.02.7-150500.5.15.1 * slurm-plugin-ext-sensors-rrd-23.02.7-150500.5.15.1 * perl-slurm-debuginfo-23.02.7-150500.5.15.1 * slurm-auth-none-23.02.7-150500.5.15.1 * slurm-plugin-ext-sensors-rrd-debuginfo-23.02.7-150500.5.15.1 * slurm-sview-23.02.7-150500.5.15.1 * slurm-debuginfo-23.02.7-150500.5.15.1 * slurm-23.02.7-150500.5.15.1 * slurm-node-23.02.7-150500.5.15.1 * slurm-devel-23.02.7-150500.5.15.1 * slurm-plugins-debuginfo-23.02.7-150500.5.15.1 * slurm-torque-23.02.7-150500.5.15.1 * libpmi0-23.02.7-150500.5.15.1 * libpmi0-debuginfo-23.02.7-150500.5.15.1 * slurm-auth-none-debuginfo-23.02.7-150500.5.15.1 *slurm-sql-23.02.7-150500.5.15.1 * libnss_slurm2-23.02.7-150500.5.15.1 * libnss_slurm2-debuginfo-23.02.7-150500.5.15.1 * slurm-cray-debuginfo-23.02.7-150500.5.15.1 * slurm-rest-debuginfo-23.02.7-150500.5.15.1 * slurm-sview-debuginfo-23.02.7-150500.5.15.1 * perl-slurm-23.02.7-150500.5.15.1 * slurm-pam_slurm-23.02.7-150500.5.15.1 * slurm-debugsource-23.02.7-150500.5.15.1 * slurm-lua-23.02.7-150500.5.15.1 * libslurm39-debuginfo-23.02.7-150500.5.15.1 * libslurm39-23.02.7-150500.5.15.1 * slurm-munge-debuginfo-23.02.7-150500.5.15.1 * slurm-node-debuginfo-23.02.7-150500.5.15.1 * slurm-plugins-23.02.7-150500.5.15.1 * slurm-slurmdbd-23.02.7-150500.5.15.1 * slurm-lua-debuginfo-23.02.7-150500.5.15.1 * HPC Module 15-SP5 (noarch) * slurm-config-man-23.02.7-150500.5.15.1 * slurm-doc-23.02.7-150500.5.15.1 * slurm-config-23.02.7-150500.5.15.1 * slurm-webdoc-23.02.7-150500.5.15.1 * SUSE Package Hub 15 15-SP5 (ppc64le s390x) * slurm-sql-debuginfo-23.02.7-150500.5.15.1 * slurm-munge-23.02.7-150500.5.15.1 * slurm-cray-23.02.7-150500.5.15.1 * slurm-pam_slurm-debuginfo-23.02.7-150500.5.15.1 * slurm-slurmdbd-debuginfo-23.02.7-150500.5.15.1 * slurm-rest-23.02.7-150500.5.15.1 * slurm-hdf5-23.02.7-150500.5.15.1 * slurm-torque-debuginfo-23.02.7-150500.5.15.1 * perl-slurm-debuginfo-23.02.7-150500.5.15.1 * slurm-auth-none-23.02.7-150500.5.15.1 * slurm-sview-23.02.7-150500.5.15.1 * slurm-debuginfo-23.02.7-150500.5.15.1 * slurm-23.02.7-150500.5.15.1 * slurm-node-23.02.7-150500.5.15.1 * slurm-devel-23.02.7-150500.5.15.1 * slurm-plugins-debuginfo-23.02.7-150500.5.15.1 * slurm-torque-23.02.7-150500.5.15.1 * libpmi0-23.02.7-150500.5.15.1 * libpmi0-debuginfo-23.02.7-150500.5.15.1 * slurm-auth-none-debuginfo-23.02.7-150500.5.15.1 * slurm-sql-23.02.7-150500.5.15.1 * libnss_slurm2-23.02.7-150500.5.15.1 * libnss_slurm2-debuginfo-23.02.7-150500.5.15.1 *slurm-cray-debuginfo-23.02.7-150500.5.15.1 * slurm-rest-debuginfo-23.02.7-150500.5.15.1 * slurm-sview-debuginfo-23.02.7-150500.5.15.1 * perl-slurm-23.02.7-150500.5.15.1 * slurm-pam_slurm-23.02.7-150500.5.15.1 * slurm-debugsource-23.02.7-150500.5.15.1 * slurm-lua-23.02.7-150500.5.15.1 * slurm-munge-debuginfo-23.02.7-150500.5.15.1 * slurm-hdf5-debuginfo-23.02.7-150500.5.15.1 * slurm-node-debuginfo-23.02.7-150500.5.15.1 * slurm-plugins-23.02.7-150500.5.15.1 * slurm-slurmdbd-23.02.7-150500.5.15.1 * slurm-lua-debuginfo-23.02.7-150500.5.15.1 * SUSE Package Hub 15 15-SP5 (noarch) * slurm-seff-23.02.7-150500.5.15.1 * slurm-openlava-23.02.7-150500.5.15.1 * slurm-doc-23.02.7-150500.5.15.1 * slurm-config-23.02.7-150500.5.15.1 * slurm-webdoc-23.02.7-150500.5.15.1 * slurm-config-man-23.02.7-150500.5.15.1 * slurm-sjstat-23.02.7-150500.5.15.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * slurm-sql-debuginfo-23.02.7-150500.5.15.1 * slurm-munge-23.02.7-150500.5.15.1 * slurm-cray-23.02.7-150500.5.15.1 * slurm-pam_slurm-debuginfo-23.02.7-150500.5.15.1 * slurm-slurmdbd-debuginfo-23.02.7-150500.5.15.1 * slurm-rest-23.02.7-150500.5.15.1 * slurm-hdf5-23.02.7-150500.5.15.1 * slurm-torque-debuginfo-23.02.7-150500.5.15.1 * slurm-plugin-ext-sensors-rrd-23.02.7-150500.5.15.1 * perl-slurm-debuginfo-23.02.7-150500.5.15.1 * slurm-auth-none-23.02.7-150500.5.15.1 * slurm-plugin-ext-sensors-rrd-debuginfo-23.02.7-150500.5.15.1 * slurm-sview-23.02.7-150500.5.15.1 * slurm-debuginfo-23.02.7-150500.5.15.1 * slurm-23.02.7-150500.5.15.1 * slurm-node-23.02.7-150500.5.15.1 * slurm-devel-23.02.7-150500.5.15.1 * slurm-plugins-debuginfo-23.02.7-150500.5.15.1 * slurm-torque-23.02.7-150500.5.15.1 * libpmi0-23.02.7-150500.5.15.1 * libpmi0-debuginfo-23.02.7-150500.5.15.1 * slurm-auth-none-debuginfo-23.02.7-150500.5.15.1 * slurm-sql-23.02.7-150500.5.15.1 *libnss_slurm2-23.02.7-150500.5.15.1 * libnss_slurm2-debuginfo-23.02.7-150500.5.15.1 * slurm-cray-debuginfo-23.02.7-150500.5.15.1 * slurm-rest-debuginfo-23.02.7-150500.5.15.1 * slurm-sview-debuginfo-23.02.7-150500.5.15.1 * perl-slurm-23.02.7-150500.5.15.1 * slurm-testsuite-23.02.7-150500.5.15.1 * slurm-pam_slurm-23.02.7-150500.5.15.1 * slurm-debugsource-23.02.7-150500.5.15.1 * slurm-lua-23.02.7-150500.5.15.1 * libslurm39-debuginfo-23.02.7-150500.5.15.1 * libslurm39-23.02.7-150500.5.15.1 * slurm-munge-debuginfo-23.02.7-150500.5.15.1 * slurm-hdf5-debuginfo-23.02.7-150500.5.15.1 * slurm-node-debuginfo-23.02.7-150500.5.15.1 * slurm-plugins-23.02.7-150500.5.15.1 * slurm-slurmdbd-23.02.7-150500.5.15.1 * slurm-lua-debuginfo-23.02.7-150500.5.15.1 * openSUSE Leap 15.5 (noarch) * slurm-seff-23.02.7-150500.5.15.1 * slurm-openlava-23.02.7-150500.5.15.1 * slurm-doc-23.02.7-150500.5.15.1 * slurm-config-23.02.7-150500.5.15.1 * slurm-webdoc-23.02.7-150500.5.15.1 * slurm-config-man-23.02.7-150500.5.15.1 * slurm-sjstat-23.02.7-150500.5.15.1 ## References: * https://www.suse.com/security/cve/CVE-2023-49933.html * https://www.suse.com/security/cve/CVE-2023-49935.html * https://www.suse.com/security/cve/CVE-2023-49936.html * https://www.suse.com/security/cve/CVE-2023-49937.html * https://www.suse.com/security/cve/CVE-2023-49938.html * https://bugzilla.suse.com/show_bug.cgi?id=1216869 * https://bugzilla.suse.com/show_bug.cgi?id=1217711 * https://bugzilla.suse.com/show_bug.cgi?id=1218046 * https://bugzilla.suse.com/show_bug.cgi?id=1218049 * https://bugzilla.suse.com/show_bug.cgi?id=1218050 * https://bugzilla.suse.com/show_bug.cgi?id=1218051 * https://bugzilla.suse.com/show_bug.cgi?id=1218053 . Essential security patch for slurm addresses multiple vulnerabilities and enhances overall protection. Important for every affected user.. SUSE Updates, slurm Security, System Improvement, Patch Management. . Severity:Important. LinuxSecurity.com Team
* bsc#1218728 Cross-References: * CVE-2024-23301 . # Security update for rear23a Announcement ID: SUSE-SU-2024:0239-1 Rating: important References: * bsc#1218728 Cross-References: * CVE-2024-23301 CVSS scores: * CVE-2024-23301 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-23301 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: * SUSE Linux Enterprise High Availability Extension 15 SP1 * SUSE Linux Enterprise High Availability Extension 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise Server 15 SP1 * SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Manager Proxy 4.0 * SUSE Manager Proxy 4.1 * SUSE Manager Retail Branch Server 4.0 * SUSE Manager Retail Branch Server 4.1 * SUSE Manager Server 4.0 * SUSE Manager Server 4.1 An update that solves one vulnerability can now be installed. ## Description: This update for rear23a fixes the following issues: * CVE-2024-23301: Corrected world-readable permissions for initrd, which could be an issue if it contains sensitive information (bsc#1218728). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise High Availability Extension 15 SP1 zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2024-239=1 * SUSE Linux Enterprise High Availability Extension 15 SP2 zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2024-239=1 ## Package List: * SUSE Linux Enterprise High Availability Extension 15 SP1 (ppc64le x86_64) *rear23a-2.3.a-150000.9.9.1 * SUSE Linux Enterprise High Availability Extension 15 SP2 (ppc64le x86_64) * rear23a-2.3.a-150000.9.9.1 ## References: * https://www.suse.com/security/cve/CVE-2024-23301.html * https://bugzilla.suse.com/show_bug.cgi?id=1218728 . A critical update for rear23a has been released, resolving CVE-2024-23301's vulnerabilities in access management within SUSE Linux.. SUSE Linux Update,rear23a,Permissions Issue,Important Advisory,Security Fix. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.