AusCERT - Security Bulletins

Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 36 perc 51 másodperc
ASB-2022.0085 - ALERT [Win] Microsoft Windows products: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0085
Microsoft Patch Tuesday update for Microsoft Windows for April 2022
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HEVC Video Extensions
Windows 10, 11, 8.1 and RT 8.1
Windows Server
Windows Upgrade Assistant
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26920 CVE-2022-26919 CVE-2022-26918
CVE-2022-26917 CVE-2022-26916 CVE-2022-26915
CVE-2022-26914 CVE-2022-26904 CVE-2022-26903
CVE-2022-26831 CVE-2022-26830 CVE-2022-26829
CVE-2022-26828 CVE-2022-26827 CVE-2022-26826
CVE-2022-26825 CVE-2022-26824 CVE-2022-26823
CVE-2022-26822 CVE-2022-26821 CVE-2022-26820
CVE-2022-26819 CVE-2022-26818 CVE-2022-26817
CVE-2022-26816 CVE-2022-26815 CVE-2022-26814
CVE-2022-26813 CVE-2022-26812 CVE-2022-26811
CVE-2022-26810 CVE-2022-26809 CVE-2022-26808
CVE-2022-26807 CVE-2022-26803 CVE-2022-26802
CVE-2022-26801 CVE-2022-26798 CVE-2022-26797
CVE-2022-26796 CVE-2022-26795 CVE-2022-26794
CVE-2022-26793 CVE-2022-26792 CVE-2022-26791
CVE-2022-26790 CVE-2022-26789 CVE-2022-26788
CVE-2022-26787 CVE-2022-26786 CVE-2022-26785
CVE-2022-26784 CVE-2022-26783 CVE-2022-24550
CVE-2022-24549 CVE-2022-24547 CVE-2022-24546
CVE-2022-24545 CVE-2022-24544 CVE-2022-24543
CVE-2022-24542 CVE-2022-24541 CVE-2022-24540
CVE-2022-24539 CVE-2022-24538 CVE-2022-24537
CVE-2022-24536 CVE-2022-24534 CVE-2022-24533
CVE-2022-24532 CVE-2022-24530 CVE-2022-24528
CVE-2022-24527 CVE-2022-24521 CVE-2022-24500
CVE-2022-24499 CVE-2022-24498 CVE-2022-24496
CVE-2022-24495 CVE-2022-24494 CVE-2022-24493
CVE-2022-24492 CVE-2022-24491 CVE-2022-24490
CVE-2022-24489 CVE-2022-24488 CVE-2022-24487
CVE-2022-24486 CVE-2022-24485 CVE-2022-24484
CVE-2022-24483 CVE-2022-24481 CVE-2022-24479
CVE-2022-24474 CVE-2022-23268 CVE-2022-23257
CVE-2022-22009 CVE-2022-22008 CVE-2022-21983
Comment: CVSS (Max): 9.8 CVE-2022-26809 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
OVERVIEW
Microsoft has released its monthly security patch update for the
month of April 2022.
This update resolves 99 vulnerabilities across the following
products: [1]
HEVC Video Extension
HEVC Video Extensions
Windows 10
Windows 11
Windows 8.1
Windows RT 8.1
Windows Server
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Upgrade Assistant
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2022-21983 Remote Code Execution Important
CVE-2022-22008 Remote Code Execution Critical
CVE-2022-22009 Remote Code Execution Important
CVE-2022-23257 Remote Code Execution Critical
CVE-2022-23268 Denial of Service Important
CVE-2022-24474 Elevation of Privilege Important
CVE-2022-24479 Elevation of Privilege Important
CVE-2022-24481 Elevation of Privilege Important
CVE-2022-24483 Information Disclosure Important
CVE-2022-24484 Denial of Service Important
CVE-2022-24485 Remote Code Execution Important
CVE-2022-24486 Elevation of Privilege Important
CVE-2022-24487 Remote Code Execution Important
CVE-2022-24488 Elevation of Privilege Important
CVE-2022-24489 Elevation of Privilege Important
CVE-2022-24490 Information Disclosure Important
CVE-2022-24491 Remote Code Execution Critical
CVE-2022-24492 Remote Code Execution Important
CVE-2022-24493 Information Disclosure Important
CVE-2022-24494 Elevation of Privilege Important
CVE-2022-24495 Remote Code Execution Important
CVE-2022-24496 Elevation of Privilege Important
CVE-2022-24498 Information Disclosure Important
CVE-2022-24499 Elevation of Privilege Important
CVE-2022-24500 Remote Code Execution Critical
CVE-2022-24521 Elevation of Privilege Important
CVE-2022-24527 Elevation of Privilege Important
CVE-2022-24528 Remote Code Execution Important
CVE-2022-24530 Elevation of Privilege Important
CVE-2022-24532 Remote Code Execution Important
CVE-2022-24533 Remote Code Execution Important
CVE-2022-24534 Remote Code Execution Important
CVE-2022-24536 Remote Code Execution Important
CVE-2022-24537 Remote Code Execution Critical
CVE-2022-24538 Denial of Service Important
CVE-2022-24539 Information Disclosure Important
CVE-2022-24540 Elevation of Privilege Important
CVE-2022-24541 Remote Code Execution Critical
CVE-2022-24542 Elevation of Privilege Important
CVE-2022-24543 Remote Code Execution Important
CVE-2022-24544 Elevation of Privilege Important
CVE-2022-24545 Remote Code Execution Important
CVE-2022-24546 Elevation of Privilege Important
CVE-2022-24547 Elevation of Privilege Important
CVE-2022-24549 Elevation of Privilege Important
CVE-2022-24550 Elevation of Privilege Important
CVE-2022-26783 Information Disclosure Important
CVE-2022-26784 Denial of Service Important
CVE-2022-26785 Information Disclosure Important
CVE-2022-26786 Elevation of Privilege Important
CVE-2022-26787 Elevation of Privilege Important
CVE-2022-26788 Elevation of Privilege Important
CVE-2022-26789 Elevation of Privilege Important
CVE-2022-26790 Elevation of Privilege Important
CVE-2022-26791 Elevation of Privilege Important
CVE-2022-26792 Elevation of Privilege Important
CVE-2022-26793 Elevation of Privilege Important
CVE-2022-26794 Elevation of Privilege Important
CVE-2022-26795 Elevation of Privilege Important
CVE-2022-26796 Elevation of Privilege Important
CVE-2022-26797 Elevation of Privilege Important
CVE-2022-26798 Elevation of Privilege Important
CVE-2022-26801 Elevation of Privilege Important
CVE-2022-26802 Elevation of Privilege Important
CVE-2022-26803 Elevation of Privilege Important
CVE-2022-26807 Elevation of Privilege Important
CVE-2022-26808 Elevation of Privilege Important
CVE-2022-26809 Remote Code Execution Critical
CVE-2022-26810 Elevation of Privilege Important
CVE-2022-26811 Remote Code Execution Important
CVE-2022-26812 Remote Code Execution Important
CVE-2022-26813 Remote Code Execution Important
CVE-2022-26814 Remote Code Execution Important
CVE-2022-26815 Remote Code Execution Important
CVE-2022-26816 Information Disclosure Important
CVE-2022-26817 Remote Code Execution Important
CVE-2022-26818 Remote Code Execution Important
CVE-2022-26819 Remote Code Execution Important
CVE-2022-26820 Remote Code Execution Important
CVE-2022-26821 Remote Code Execution Important
CVE-2022-26822 Remote Code Execution Important
CVE-2022-26823 Remote Code Execution Important
CVE-2022-26824 Remote Code Execution Important
CVE-2022-26825 Remote Code Execution Important
CVE-2022-26826 Remote Code Execution Important
CVE-2022-26827 Elevation of Privilege Important
CVE-2022-26828 Elevation of Privilege Important
CVE-2022-26829 Remote Code Execution Important
CVE-2022-26830 Remote Code Execution Important
CVE-2022-26831 Denial of Service Important
CVE-2022-26903 Remote Code Execution Important
CVE-2022-26904 Elevation of Privilege Important
CVE-2022-26914 Elevation of Privilege Important
CVE-2022-26915 Denial of Service Important
CVE-2022-26916 Remote Code Execution Important
CVE-2022-26917 Remote Code Execution Important
CVE-2022-26918 Remote Code Execution Important
CVE-2022-26919 Remote Code Execution Critical
CVE-2022-26920 Information Disclosure Important
MITIGATION
Microsoft recommends updating the software with the version made
available on the Microsoft Update Catalogue for the following
Knowledge Base articles. [1].
KB5012591, KB5012592, KB5012596, KB5012599, KB5012604
KB5012639, KB5012647, KB5012650, KB5012653, KB5012666
KB5012670
REFERENCES
[1] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYno+NLKJtyKPYoAQi9uRAAmfOZNlODRV2489+BxHGdyytkuyIfKx+S
cizoe5YodcPhasmT6dQpZ91ZPNhHsuxw4Xl4eU9K+nhcoFW49BOc5tKaX4X4UNtE
PMQQvbDZfaBSwvkTa6UaGNFQIxTGu73IIFV0/Klk1HCv9RtTpFAln0aEwgNwgc0U
CKJ2iTkESSfvZED9/JQfzQiuG7CRY+6deUZKHXZJeJJcyqR+rCkbr1DFDwMVtA+M
TtMMgFyhBDwYCaEjjkriPyisluv33YvdWIBwHzc1j0a2mf5pKFRA/gK1iP3xJ5lm
CAzzMrV7TDJ5wl05K4ifbAR955gL7YlpwS2oImgJbpkzVUxdDGcbGpN7+F2GKLm/
KrLkz3tvPRCzSemBLaeqkTeWho8VY4EItiy9EKFbyc9U9/vcDAoJsbKmeAk3IKjB
ZSMDs5o3TmOi5AGG8ZbQnP97OicQYAjDR7peIlwW/93yPx7FV2yvjkzUVYIlDtZI
CZj+8lJzupbehvc+fm6e8x3RR8BNoD8w0L/xLpPWeED55XoAhm1y+dALv8+ZYbTi
uQbicHPbnDPqPnWdu+yfeohUR3GtA0InOvn2U/dsIuuyu9Nz2+x6haBqIz61Tm+f
kI1FB06GVEVectu3oGYAaRNquYzVp0iE3Ui8uNyxiAtdO9uZOMG1TNNA/uQ9NSDU
LRvAI/QphyI=
=QoD4
-----END PGP SIGNATURE-----
ASB-2022.0084 - [Win] Microsoft Malware Protection Engine: CVSS (Max): 5.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0084
Microsoft Patch Tuesday update for Microsoft System Center for April 2022
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Malware Protection Engine
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24548
Comment: CVSS (Max): 5.5 CVE-2022-24548 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
OVERVIEW
Microsoft has released its monthly security patch update for the
month of April 2022.
This update resolves 1 vulnerabilities across the following products:
[1]
Microsoft Malware Protection Engine
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2022-24548 Denial of Service Important
MITIGATION
Microsoft recommends updating the software to the latest available
version available on the Microsoft Update Catalog. [1].
REFERENCES
[1] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYnmuNLKJtyKPYoAQg2VA//fEN/aYNWR48OSIsXqy9Am/L03HqMBLDg
QJ6Z79FjjKap1rnU5gXDEzWYRUYtxiK+77rjuG8cMnzGeXIapHBOafDe4if6IGQE
PfR2S1Q54Nj1KtA9vmUNQHkK4/Q+07w6ING1OqayKgcOgs/Mx7mSsQoPE77qKrUI
RP7JaABIbq+NU0SK6WCeS9AMrEV9eex8U5vZaINFXBU20lvw4hXiGloCZeC7u9N0
jKetJVx7KC0+/0ohBNTmJe6T1cIiCNYcbjaTMKdTbUEdgiUOoCpxhltzlBhGIb6/
2apcdFLBJF2FQVskVHDEISdsKkcGWdxe6TLzw76MhE3tkb64faG7EtF5N5vyRqRb
4aS9gf+Ef718LAa4q/+8oGp6fYcumApyUB7vlj4K4Bg8yRk//oJ+fBmzRo9q+SoY
VGnYUgnwQlyTaLCqm79gf8MFEY82JpKuBnbsQoQBMhfOwCyIMtKbOm4VaXkVL+Xs
GvZOQvvEIRu/luZLj1hHXWVC8LOySGhLI3tEPlsLyh0qP53sA8gcHGisc6c6bnoO
KKMz0Q7tsZ5j/x/2pwzrr8SWcK4cF7Fx8UlUoxJXzr0Iw9TdzZgbf0Q68hV4TCJL
jRQas4/TO9TIzCO980vHWozFz8GJls0hfifjoKO5mAbFTfqdyflltie/HTrddVec
7gXgWIJAtgw=
=nPGl
-----END PGP SIGNATURE-----
ASB-2022.0083 - [Win] Microsoft On-Premises Data Gateway: CVSS (Max): 5.9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0083
Microsoft Patch Tuesday update for Microsoft SQL Server for April 2022
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft On-Premises Data Gateway
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23292
Comment: CVSS (Max): 5.9 CVE-2022-23292 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C
OVERVIEW
Microsoft has released its monthly security patch update for the
month of April 2022.
This update resolves 1 vulnerabilities across the following products:
[1]
Microsoft On-Premises Data Gateway
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2022-23292 Spoofing Important
MITIGATION
Microsoft recommends updating the software to the latest available
version available on the Microsoft Update Catalog. [1].
REFERENCES
[1] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYniuNLKJtyKPYoAQh+hg/+PH4MYXrkeIVWwB9ZAsNZ9N9fX6pRsYoc
hQkyS/T311mt/9BX7fswGYtXZfZAB1ANQ9xeUk7J4IDhQ2DTtZQbK/jdrpbu3TDs
bktLjMoCJujZ/iWZ7f52Br1OH+b/hvMFbFRUdRgLgfPWt5ANqSSTLj3NB3QAY+Rr
tYOZKLRx4UqGg2C/C9IyPMIhiJGbMS6v9Edy/0ISxTVtjsUX+W2ZftJAV6mA9SrS
mCdPJNCw/EwHofQxBjPltXgJSTpGIfhlpRW5/6yZTEoRAsZY/c1oOkfQ+4Q5UAk5
WcNI0vz1mg9sFijnN+bQERfAI4X8wmpR06wnMS2yBZ6y3oCBd2/H2WFmwYQnHZVQ
betaZPJRgF1nEKcyJw2pims5BjpRCC2QS+xJvoGHpdqihhox8LKm4u09bfJI6UGP
WutQ7YQyakGGenYWJyJtmSfXgc5z+5rNsck+B7PzDcV8nX+DMLBsBGbB13+mx57v
LuALH2d6/Z+AV/j5A7/kO6VlkLi6HId55VZxg9V3IKWGHkY7wsdca/tPIjGdbNdY
FRJRsT7VsEkSNNc0WhKlqt4UEXKBAejJNqoqRQAAk9V9huCaswsUkxUwMDxtpruP
JI8dAmPq73GnqnwYlzgwEtJajA5aFXVHbhL91HWWQ9xDlIdKe11IRsAiQy7QyXcj
V3bq3iUwtdA=
=jiDU
-----END PGP SIGNATURE-----
ASB-2022.0082 - [Win] Microsoft Office, Office Services and Web Apps: CVSS (Max): 8.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0082
Microsoft Patch Tuesday update for Microsoft Office, Office
Services and Web Apps for April 2022
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: 365 Apps for Enterprise
Microsoft Excel
Microsoft Lync Server 2013 CU10
Microsoft Office
Microsoft SharePoint
Skype for Business Server
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26911 CVE-2022-26910 CVE-2022-26901
CVE-2022-24473 CVE-2022-24472
Comment: CVSS (Max): 8.0 CVE-2022-24472 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
OVERVIEW
Microsoft has released its monthly security patch update for the
month of April 2022.
This update resolves 5 vulnerabilities across the following products:
[1]
Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Lync Server 2013 CU10
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Office LTSC 2021 for 32-bit editions
Microsoft Office LTSC 2021 for 64-bit editions
Microsoft Office LTSC for Mac 2021
Microsoft Office Online Server
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
Skype for Business Server 2015 CU12
Skype for Business Server 2019 CU6
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2022-24472 Spoofing Important
CVE-2022-24473 Remote Code Execution Important
CVE-2022-26901 Remote Code Execution Important
CVE-2022-26910 Spoofing Important
CVE-2022-26911 Information Disclosure Important
MITIGATION
Microsoft recommends updating the software with the version made
available on the Microsoft Update Catalogue for the following
Knowledge Base articles. [1].
KB5002143, KB5002148, KB5002162, KB5002169, KB5002175
KB5002177, KB5002180, KB5002183, KB5002189, KB5002191
KB5012681, KB5012686
REFERENCES
[1] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYngONLKJtyKPYoAQjfTQ/7BYRi/zVvdzvM0a3NgKrn8o1HlkgDOifT
CSfpC54piKFLQPuggbyN7EaygtDa6votF0Wm26vDXf3sBGQNZshu2vV+ttTcy75g
ECLUvzRykXQfCWpXWY81m/ERsqcxUIdyNYKc8g7D+qjZSSadwWBEqgXqPM2Q4xhM
3Mui6EwRmohjgPja8GW0d8DP2gaZ6jnHtQhpx8tvlNs7dSqHzn+xd+sEqOrDKqAD
bSqwpyhYJFv2jXbND26byMjVbHlmjliaOjjkl+dgllIZI32fYovnIBLbt9bBptZo
9D2+vMnlk0lRx2iKC79nvb5WJgjNJFunfratJJ8mOJIxSlwQPG4aQ2YRBDmNgZu+
hoPDkCWCP/myrEdIZyomZihjuvkNtBj95+enHKDmIMEQ+YvfYCSORN4yFlUPGFm5
swENg2RY5lWl5tXHYHJMZC5t/YXtF/AopDhR7PtuByWkU7DkpK271nLdSbShsiZD
e5ATn+A0l9IlO05qBPots0Tn9fIXonUwPhQMBRMZEPNr8Hj3CESV7eeJBd6rV+PU
CEOI6V0lDCVHxNHE2SIx0kTpaC0nqhJY4WDWPrNykyqTWJ71/HKj4FcmxkvY8Cw0
qzztpHDVmNvWWByG6iJMtWD5jGTQumbOozXQslLDBlmnALInxObC3WtiVcOoTKTA
FYorGF2eFw0=
=LLVM
-----END PGP SIGNATURE-----
ASB-2022.0081 - ALERT [Win] Microsoft Dynamics 365 (on-premises): CVSS (Max): 8.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0081
Microsoft Patch Tuesday update for Microsoft Dynamics for April 2022
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Dynamics 365 (on-premises)
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23259
Comment: CVSS (Max): 8.8 CVE-2022-23259 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
OVERVIEW
Microsoft has released its monthly security patch update for the
month of April 2022.
This update resolves 1 vulnerabilities across the following products:
[1]
Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft Dynamics 365 (on-premises) version 9.1
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2022-23259 Remote Code Execution Critical
MITIGATION
Microsoft recommends updating the software with the version made
available on the Microsoft Update Catalogue for the following
Knowledge Base articles. [1].
KB5012731, KB5012732
REFERENCES
[1] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYnaONLKJtyKPYoAQifkQ/+Kd4DQZMCRRvG77V7fq7RdAsTmhewKXf3
5VyhXkWXbWv1P0X5sjXFSeWjJSFs3A4X+wyMgq4THgZNSTxBbYES9tyoaJV9HJk5
LkEeACJBo4bgu+jkk0fZFiwGsW98mtV9MKK/oiSyRj768Awr2Rm3Qsx4FMWGsSJi
PN7H8T2vM5COy+VUjg2DcimiJ2d++J7OgXINRDA8RVBRPNP6k9Blx7gQsNUEwflC
RfL92jYsUIDN+u33OZj5+/QT06nEDbZgTWCH7d5xsneg1+HAkfMDc4TWpEjF/0jc
JswF3eBxu6rbiB0MZpVYBU9ZoOXTWJHHTqAhWJXYL041whB7eTawaAq7v4FalgDo
pLSV4r1AzZ1ZWubvgIz3WhkUGqSMF2tyq+YnwzUxCdcqbBj7f2xwvGi/cksFncGb
+LvZMN5A597j9WQP1/k2SUX9TfMi06BwqkgNH12Vi5+G9qJZBXr7wKTF0Rn6pn4q
T+R4DD9cF4Q1DrVuraM1wppRG0RFuceDoUhBtFBMLFzGTdnqqg7cNlJTClZ+qcoG
c7Qltc5MdceZTf9oU1FW8Q8YEY5Trf/8sk6X7u+qLhVonvtnEzqZMlozX7i+LmsE
6l9CfnOjAvayUbIVL3l2NZMDpCYv8ZpZqAI4z8xK/Fz4F31B73CAXS2liEH79pTF
mXBy9nQtJ9o=
=thr/
-----END PGP SIGNATURE-----
ASB-2022.0080 - ALERT [Win] Windows 7 and Server 2008: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0080
Microsoft Patch Tuesday update for Microsoft Extended
Security Update Products for April 2022
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Windows 7
Windows Server 2008
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26919 CVE-2022-26918 CVE-2022-26917
CVE-2022-26916 CVE-2022-26915 CVE-2022-26904
CVE-2022-26903 CVE-2022-26831 CVE-2022-26829
CVE-2022-26827 CVE-2022-26822 CVE-2022-26821
CVE-2022-26820 CVE-2022-26819 CVE-2022-26815
CVE-2022-26813 CVE-2022-26812 CVE-2022-26810
CVE-2022-26809 CVE-2022-26807 CVE-2022-26803
CVE-2022-26802 CVE-2022-26801 CVE-2022-26798
CVE-2022-26797 CVE-2022-26796 CVE-2022-26794
CVE-2022-26792 CVE-2022-26790 CVE-2022-26787
CVE-2022-24544 CVE-2022-24542 CVE-2022-24541
CVE-2022-24540 CVE-2022-24536 CVE-2022-24534
CVE-2022-24533 CVE-2022-24530 CVE-2022-24528
CVE-2022-24527 CVE-2022-24521 CVE-2022-24500
CVE-2022-24499 CVE-2022-24498 CVE-2022-24494
CVE-2022-24493 CVE-2022-24492 CVE-2022-24485
CVE-2022-24481 CVE-2022-24474 CVE-2022-21983
Comment: CVSS (Max): 9.8 CVE-2022-26809 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
OVERVIEW
Microsoft has released its monthly security patch update for the
month of April 2022.
This update resolves 51 vulnerabilities across the following
products: [1]
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2022-21983 Remote Code Execution Important
CVE-2022-24474 Elevation of Privilege Important
CVE-2022-24481 Elevation of Privilege Important
CVE-2022-24485 Remote Code Execution Important
CVE-2022-24492 Remote Code Execution Important
CVE-2022-24493 Information Disclosure Important
CVE-2022-24494 Elevation of Privilege Important
CVE-2022-24498 Information Disclosure Important
CVE-2022-24499 Elevation of Privilege Important
CVE-2022-24500 Remote Code Execution Critical
CVE-2022-24521 Elevation of Privilege Important
CVE-2022-24527 Elevation of Privilege Important
CVE-2022-24528 Remote Code Execution Important
CVE-2022-24530 Elevation of Privilege Important
CVE-2022-24533 Remote Code Execution Important
CVE-2022-24534 Remote Code Execution Important
CVE-2022-24536 Remote Code Execution Important
CVE-2022-24540 Elevation of Privilege Important
CVE-2022-24541 Remote Code Execution Critical
CVE-2022-24542 Elevation of Privilege Important
CVE-2022-24544 Elevation of Privilege Important
CVE-2022-26787 Elevation of Privilege Important
CVE-2022-26790 Elevation of Privilege Important
CVE-2022-26792 Elevation of Privilege Important
CVE-2022-26794 Elevation of Privilege Important
CVE-2022-26796 Elevation of Privilege Important
CVE-2022-26797 Elevation of Privilege Important
CVE-2022-26798 Elevation of Privilege Important
CVE-2022-26801 Elevation of Privilege Important
CVE-2022-26802 Elevation of Privilege Important
CVE-2022-26803 Elevation of Privilege Important
CVE-2022-26807 Elevation of Privilege Important
CVE-2022-26809 Remote Code Execution Critical
CVE-2022-26810 Elevation of Privilege Important
CVE-2022-26812 Remote Code Execution Important
CVE-2022-26813 Remote Code Execution Important
CVE-2022-26815 Remote Code Execution Important
CVE-2022-26819 Remote Code Execution Important
CVE-2022-26820 Remote Code Execution Important
CVE-2022-26821 Remote Code Execution Important
CVE-2022-26822 Remote Code Execution Important
CVE-2022-26827 Elevation of Privilege Important
CVE-2022-26829 Remote Code Execution Important
CVE-2022-26831 Denial of Service Important
CVE-2022-26903 Remote Code Execution Important
CVE-2022-26904 Elevation of Privilege Important
CVE-2022-26915 Denial of Service Important
CVE-2022-26916 Remote Code Execution Important
CVE-2022-26917 Remote Code Execution Important
CVE-2022-26918 Remote Code Execution Important
CVE-2022-26919 Remote Code Execution Critical
MITIGATION
Microsoft recommends updating the software with the version made
available on the Microsoft Update Catalogue for the following
Knowledge Base articles. [1].
KB5011529, KB5011552, KB5012626, KB5012632, KB5012649
KB5012658
REFERENCES
[1] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYm5ONLKJtyKPYoAQiBbw/8D/JUK5Y6xzUw2hzx+pF4eQlzpAu2S0lw
9KGgz3FvTXUO0COn3Pu31LVL+H8kEJnky3OmiEgPk3/tVP/lkCJu0MjbS+CBa2en
Y8Y66rA2jnwMNkg+VpqChpZifIJ478LB1II7D2aUmdGWiFb+xAyGsBN7LAwDHpRr
8FX2ZDmaKdLkYfpRTWwlqUNXuKOXR0APzfxio21yQK7hJVhmNxHUbxoHgK2ZPhMi
P2Tu/nS8jnNI0Nsu9zJR1m9kvGv0kq2D9M1WuaFLZOnj1KZ4DWZThsSGbDvnjFp7
gK6XQBYEPHRk1nqP0sUoJ0MD8GQUgwSlsZMo4Zaq6XPH5qGPBinLn1QeXhqv0zXp
tBxnNB0KDd8PNgmcGXgxBnf6iicFvNsy6vmscxXNNkpcl3aMko2Th+wrUTOJmlcw
FVvn0bWAEmM0LI6kbDIVDO2jMz97AQvOVKbX8tbx2gizoNAaWJm/QYqoKA5Q6DdL
aCkn9E7o3IwjLcILt6Cbg+mCcuhCQQ9ojscrfZrIBIM1YEU/CBt2YnIB7aKjasKP
/8tiRd4zZnIfRYQeV/1l+7/ZAXWkOsX6MLdPkMX9J3OnMdBaOPA0TvAbIdjB5yXR
Kw5eQX6tSW1C0BBMYNXxDSPnoo6PZQ/3BoXTJBMc8YLTOp1w4g1DUD1lnEBs7016
rU2IM51QsOY=
=0GUj
-----END PGP SIGNATURE-----
ASB-2022.0079 - [Win][Mac] Developer Tools: CVSS (Max): 7.8*
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0079
Microsoft Patch Tuesday update for Microsoft Developer Tools for April 2022
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft .NET Framework
Microsoft Visual Studio
YARP
Operating System: Windows
macOS
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26924 CVE-2022-26921 CVE-2022-26832
CVE-2022-24767 CVE-2022-24765 CVE-2022-24513
Comment: CVSS (Max): 7.8* CVE-2022-24513 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
OVERVIEW
Microsoft has released its monthly security patch update for the
month of April 2022.
This update resolves 6 vulnerabilities across the following products:
[1]
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 AND 4.7.2
Microsoft .NET Framework 3.5 AND 4.8
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.8
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft Visual Studio 2022 version 17.0
Microsoft Visual Studio 2022 version 17.1
Visual Studio 2019 for Mac version 8.10
Visual Studio Code
YARP 1.0
YARP 1.1RC
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2022-24513 Elevation of Privilege Important
CVE-2022-24765 Elevation of Privilege Important
CVE-2022-24767 Elevation of Privilege Important
CVE-2022-26832 Denial of Service Important
CVE-2022-26921 Elevation of Privilege Important
CVE-2022-26924 Denial of Service Important
MITIGATION
Microsoft recommends updating the software with the version made
available on the Microsoft Update Catalogue for the following
Knowledge Base articles. [1].
KB5012117, KB5012118, KB5012120, KB5012121, KB5012123
KB5012324, KB5012325, KB5012326, KB5012327, KB5012328
KB5012329, KB5012330, KB5012331, KB5012332
REFERENCES
[1] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYm3ONLKJtyKPYoAQgunBAAqxPq6Hgw4pD9MynINYMe3d9B3oCVb7Ud
lA+xYEZQF0d1fNxilcm6ytbQwMchb7t3dA7W0BgWAQ/Wa3c7DEDUwuFiS8OrCipc
eFp2VLPX/pW5EZbyBJtnGYN118cio/rW6Ra6k7VzaBxjBABF1Cm/GitkfKh3x1Ax
aoeAnZy2Fzg00uiHblZ9LSByWMmcj5LBC3fd4YYKaVUeaRyiV21ZTCFS29kGLmeG
MOpnT3IaWzXykPX8uy9T8TudOCWk0NzyJvgb3muZgnPXDbeCWGVOAixrX6BcF4x8
Al6M+hLRoenPbK7oF1HOPvg3ATqqt/uUDkYY+eMxEApsXVOnwoZC5klYfBTjv5wn
NhkpsJ3lXg7Zj/bhGsNywAdlijh7fZPzlKQUeyE0XA+TwAnzurmPkhZL8HwObAqH
OPu+63Wr/Om/m/mz7Ek6uXAswkx2qSdplG6wmv68Z7LmVIMNVjuebOywW9cZ8J/i
tl0t0lyYUmdmWn12G1EH5TwkK9V6iirUKc1oUpo3vV1e3mnOqn1YXtnZF0kMIvNb
QH2j+aZ/SSgjT0vA+Wpd/VnIEsI5nlF1SemJAL+UNW3D5uud16h0zCiLa+mlIs28
qIHkwMsJhnb5oQEIixlIVCh1jg6unp81yNkhlR1WH3OMftz2q1FMhhz7Lg2l09sB
tkXlnKNehnI=
=eWVY
-----END PGP SIGNATURE-----
ASB-2022.0078 - [Win] Microsoft Azure products: CVSS (Max): 7.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0078
Microsoft Patch Tuesday update for Microsoft Azure for April 2022
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Azure SDK for .Net
Azure Site Recovery VMWare to Azure
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26907 CVE-2022-26898 CVE-2022-26897
CVE-2022-26896
Comment: CVSS (Max): 7.2 CVE-2022-26898 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
OVERVIEW
Microsoft has released its monthly security patch update for the
month of April 2022.
This update resolves 4 vulnerabilities across the following products:
[1]
Azure SDK for .Net
Azure Site Recovery VMWare to Azure
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2022-26896 Information Disclosure Important
CVE-2022-26897 Information Disclosure Important
CVE-2022-26898 Remote Code Execution Important
CVE-2022-26907 Information Disclosure Important
MITIGATION
Microsoft recommends updating the software to the latest available
version available on the Microsoft Update Catalog. [1].
REFERENCES
[1] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYmsuNLKJtyKPYoAQgesQ/9Fh1WKh0u685+1p3P3DbBdD3/S8B57k04
IjOceNks+H+Vdoz9dhSraXZu4xxFU/DYnQp95Kd5VR23lkuZBzjboXZsnF6U+i17
LHuEyJoCvVbOHncEyDODsrkM8lBq4QOCOYNq8N8z8dMuGLEAsfKTUwc8EjAmM9nO
2l/DJaZ5m8wSgEEalRuGbC6U5uqPOBPx8WrOpwlhq2+mmRyxAIzinpVlxGxlKhRZ
rlsDph66ysd3fFuN/n7uDXaqlRy4PBqKXzaCMYQJmEvInAG5HjnKiod4xFaLbCla
4tCuRura2hgbHGRR5xz8xCaa/ct7VbCKwYesCglWmhEsS4xfD2oVN6RKsDoMwc7o
o3C4rNZ+nRBzSRTeek+El65nXdooj9uXR6ZJp+xkDBtiROETy7lVDSUVj6g0poki
4bPsa2vzyNWjpAMIy4dcXY+QTCa3UlW0BAPrtJaJTR0XWzf/ZRwkMrxwjL0bwyf6
10U6bJzfal2MoFosKCM2phGEXfjAGZm/Ilr5PHs4ExNAx755yaxpXaJvSc5l3IFA
OZnXg7g/Kp0nfPPluc+gU66JBN5aQsfjG3OeopSdevlvHDkDIT3EQpZEVwJhWI+f
NdA+2vFXVuorP42CmNpcnXgsQMv5Z3gO5rh3e7jM1lbDJNTi1VJryc8ANYcK3XDk
geghOAorujE=
=vK2P
-----END PGP SIGNATURE-----
ESB-2022.1444.5 - UPDATE [Cisco] Cisco Products: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1444.5
Vulnerability in Spring Framework Affecting Cisco Products: March 2022
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Endpoint Clients and Client Software
Network Management and Provisioning
Voice and Unified Communications Devices
Routing and Switching - Enterprise and Service Provider
Video, Streaming, TelePresence, and Transcoding Devices
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22965
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
Comment: CVSS (Max): 9.8 CVE-2022-22965 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Revision History: April 13 2022: Updated the products under investigation, vulnerable products, and products confirmed not vulnerable.
April 8 2022: Vendor updated vulnerable products and released patch for Cisco CX Cloud Agent Software
April 6 2022: Vendor updated vulnerable products
April 5 2022: Title update
April 5 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability in Spring Framework Affecting Cisco Products: March 2022
Priority: Critical
Advisory ID: cisco-sa-java-spring-rce-Zx9GUc67
First Published: 2022 April 1 23:45 GMT
Last Updated: 2022 April 12 18:27 GMT
Version 1.6: Interim
Workarounds: No workarounds available
CVE Names: CVE-2022-22965
CWEs: CWE-120
CVSS Score:
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o On March 31, 2022, the following critical vulnerability in the Spring
Framework affecting Spring MVC and Spring WebFlux applications running on
JDK 9+ was released:
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
For a description of this vulnerability, see VMware Spring Framework
Security Vulnerability Report .
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
Affected Products
o Cisco is investigating its product line to determine which products may be
affected by this vulnerability. As the investigation progresses, Cisco will
update this advisory with information about affected products.
The Vulnerable Products section will include Cisco bug IDs for each
affected product. The bugs will be accessible through the Cisco Bug Search
Tool and contain additional platform-specific information, including
workarounds (if available) and fixed software releases.
Any product not listed in the Products Under Investigation or Vulnerable
Products section of this advisory is to be considered not vulnerable.
Because this is an ongoing investigation, be aware that products that are
currently considered not vulnerable may subsequently be considered
vulnerable as additional information becomes available.
Products Under Investigation
The following products are under active investigation to determine whether
they are affected by the vulnerability that is described in this advisory.
Network Management and Provisioning
Cisco Connected Pharma
Cisco Extensible Network Controller (XNC)
Cisco Network Change and Configuration Management
Cisco Nexus Dashboard Data Broker, formerly Cisco Nexus Data Broker
Cisco Nexus Dashboard, formerly Cisco Application Services Engine
Routing and Switching - Enterprise and Service Provider
Cisco Application Policy Infrastructure Controller Enterprise Module
(APIC-EM)
Cisco Network Convergence System 2000 Series
Cisco ONS 15454 Series Multiservice Provisioning Platforms
Wireless
Cisco Ultra Cloud Core - Session Management Function
Cisco Cloud Hosted Services
Cisco IoT Control Center
Cisco Umbrella
Vulnerable Products
Cisco is investigating its product line to determine which products may be
affected by this vulnerability. This section will be updated as information
is available.
The following table lists Cisco products that are affected by the
vulnerability that is described in this advisory. If a future release date
is indicated for software, the date provided represents an estimate based
on all information known to Cisco as of the Last Updated date at the top of
the advisory. Availability dates are subject to change based on a number of
factors, including satisfactory testing results and delivery of other
priority features and fixes. If no version or date is listed for an
affected component (indicated by a blank field and/or an advisory
designation of Interim), Cisco is continuing to evaluate the fix and will
update the advisory as additional information becomes available. After the
advisory is marked Final, customers should refer to the associated Cisco
bug(s) for further details.
Product Cisco Bug Fixed Release
ID Availability
Endpoint Clients and Client Software
Cisco CX Cloud Agent Software CSCwb41735 2.1.0 (20 Apr 2022)
Network Management and Provisioning
Cisco Automated Subsea Tuning CSCwb43658
Cisco Crosswork Data Gateway CSCwb43707
Cisco Crosswork Network Controller CSCwb43703 3.0.2 (29 Apr 2022)
2.0.2 (29 Apr 2022)
Cisco Crosswork Optimization Engine CSCwb43709 3.1.1 (1 May 2022)
2.1.1 (1 May 2022)
Cisco Crosswork Zero Touch Provisioning CSCwb43706 3.0.2 (29 Apr 2022)
(ZTP) 2.0.2 (20 Apr 2022)
Cisco Evolved Programmable Network 6.0.1.1 (29 Apr 2022)
Manager CSCwb43643 5.1.4.1 (29 Apr 2022)
5.0.2.3 (29 Apr 2022)
Cisco Managed Services Accelerator (MSX) CSCwb43667
Cisco Optical Network Planner CSCwb43691
7.5.2.1 (19 Apr 2022)
Cisco WAN Automation Engine (WAE) Live CSCwb43708 7.4.0.2 (25 Apr 2022)
7.3.0.3 (29 Apr 2022)
7.5.2.1 (19 Apr 2022)
Cisco WAN Automation Engine (WAE) CSCwb43708 7.4.0.2 (25 Apr 2022)
7.3.0.3 (29 Apr 2022)
Data Center Network Manager (DCNM) CSCwb43637 12.1.1 (30 Jun 2022)
Nexus Dashboard Fabric Controller (NDFC) CSCwb43637 12.1.1 (30 Jun 2022)
Routing and Switching - Enterprise and Service Provider
Cisco DNA Center CSCwb43648
Cisco Optical Network Controller CSCwb43692 2.0 (31 May 2022)
Cisco Software-Defined AVC (SD-AVC) CSCwb43727
Voice and Unified Communications Devices
12.0 (30 May 2022)
Cisco Enterprise Chat and Email CSCwb45202 12.5 (30 May 2022)
12.6 ES2 (15 May 2022)
Video, Streaming, TelePresence, and Transcoding Devices
Cisco Meeting Server CSCwb43662
Products Confirmed Not Vulnerable
Cisco is investigating its product line to determine which products may be
affected by this vulnerability. This section will be updated as information
becomes available.
Any product not listed in the Products Under Investigation or Vulnerable
Products section of this advisory is to be considered not vulnerable.
Because this is an ongoing investigation, be aware that products that are
currently considered not vulnerable may subsequently be considered
vulnerable as additional information becomes available.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Cable Devices
Cisco Continuous Deployment and Automation Framework
Cisco Prime Cable Provisioning
Collaboration and Social Media
Cisco SocialMiner
Cisco Webex Meetings Server
Network Application, Service, and Acceleration
Cisco Wide Area Application Services (WAAS)
Network and Content Security Devices
Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Device Manager (FDM)
Cisco Firepower Management Center (FMC)
Cisco Firepower System Software
Cisco Identity Services Engine (ISE)
Cisco Secure Email Gateway, formerly Email Security Appliance (ESA)
Cisco Secure Email and Web Manager, formerly Cisco Content Security
Management Appliance (SMA)
Cisco Secure Network Analytics, formerly Cisco Stealthwatch
Cisco Security Manager
Network Management and Provisioning
Cisco Business Process Automation
Cisco CloudCenter Action Orchestrator
Cisco CloudCenter Cost Optimizer
Cisco CloudCenter Suite Admin
Cisco CloudCenter Workload Manager
Cisco CloudCenter
Cisco Collaboration Audit and Assessments
Cisco Common Services Platform Collector (CSPC)
Cisco Connected Mobile Experiences
Cisco Crosswork Change Automation
Cisco Crosswork Network Automation
Cisco Crosswork Situation Manager
Cisco DNA Assurance
Cisco Elastic Services Controller (ESC)
Cisco Intelligent Node (iNode) Manager
Cisco IoT Field Network Director, formerly Cisco Connected Grid Network
Management System
Cisco NCS 2000 Shelf Virtualization Orchestrator (SVO)
Cisco Network Insights for Data Center
Cisco Nexus Dashboard
Cisco Nexus Insights
Cisco Policy Suite for Mobile
Cisco Policy Suite
Cisco Prime Performance Manager
Cisco Smart PHY
Cisco ThousandEyes Endpoint Agent
Cisco ThousandEyes Enterprise Agent
Cisco Virtual Topology System - Virtual Topology Controller (VTC) VM
Routing and Switching - Enterprise and Service Provider
Cisco ACI HTML5 vCenter Plug-in
Cisco ASR 5000 Series Routers
Cisco Enterprise NFV Infrastructure Software (NFVIS)
Cisco GGSN Gateway GPRS Support Node
Cisco IOx Fog Director
Cisco IP Services Gateway (IPSG)
Cisco MME Mobility Management Entity
Cisco Mobility Unified Reporting and Analytics System
Cisco PDSN/HA Packet Data Serving Node and Home Agent
Cisco PGW Packet Data Network Gateway
Cisco SD-WAN Cloud OnRamp for Co-Location
Cisco System Architecture Evolution Gateway (SAEGW)
Cisco Ultra Packet Core
Cisco Ultra Services Platform
Ultra Cloud Core - Redundancy Configuration Manager
Routing and Switching - Small Business
Cisco Business Dashboard
Unified Computing
Cisco HyperFlex
Voice and Unified Communications Devices
Cisco BroadWorks
Cisco Cloud Connect
Cisco Emergency Responder
Cisco Unified Attendant Console Advanced
Cisco Unified Attendant Console Business Edition
Cisco Unified Attendant Console Department Edition
Cisco Unified Attendant Console Enterprise Edition
Cisco Unified Attendant Console Premium Edition
Cisco Unified Communications Manager IM & Presence Service
Cisco Unified Communications Manager Session Management Edition
Cisco Unified Communications Manager
Cisco Unified Contact Center Express
Cisco Unified Customer Voice Portal
Cisco Unified Intelligence Center
Cisco Unity Connection
Cisco Virtualized Voice Browser
Video, Streaming, TelePresence, and Transcoding Devices
Cisco Expressway Series
Cisco TelePresence Integrator C Series
Cisco TelePresence MX Series
Cisco TelePresence Management Suite
Cisco TelePresence Precision Cameras
Cisco TelePresence Profile Series
Cisco TelePresence SX Series
Cisco TelePresence System EX Series
Cisco TelePresence Video Communication Server (VCS)
Cisco Touch
Cisco Video Surveillance Operations Manager
Cisco Vision Dynamic Signage Director
Cisco Webex Board Series
Cisco Webex Desk Series
Cisco Webex Room Navigator
Cisco Webex Room Series
Wireless
Cisco Ultra Cloud Core - Access and Mobility Management Function
Cisco Ultra Cloud Core - Network Repository Function
Cisco Ultra Cloud Core - Policy Control Function
Cisco Ultra Cloud Core - Redundancy Configuration Manager
Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure
Cisco Cloud Hosted Services
Cisco BroadCloud
Cisco Industrial Asset Vision
Cisco IoT Operations Dashboard (IOTOC)
Cisco Kinetic for Cities
Cisco Registered Envelope Service
Cisco Smart Collector - Lifecycle Management
Cisco Unified Communications Manager Cloud
Cisco Webex Cloud-Connected UC (CCUC)
Workarounds
o Any workarounds will be documented in the product-specific Cisco bugs,
which are identified in the Vulnerable Products section of this advisory.
Fixed Software
o For information about fixed software releases, consult the Cisco bugs
identified in the Vulnerable Products section of this advisory.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page, to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware that
proof-of-concept exploit code is available for the vulnerability described
in this advisory.
Source
o This vulnerability was publicly disclosed by VMware on March 31, 2022.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Action Links for This Advisory
o Snort Rule 30790
Snort Rule 30791
Snort Rule 30792
Snort Rule 30793
Snort Rule 59416
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
Revision History
o +---------+----------------------------+----------+---------+-------------+
| Version | Description | Section | Status | Date |
+---------+----------------------------+----------+---------+-------------+
| | Updated the products under | | | |
| 1.6 | investigation, vulnerable | Affected | Interim | 2022-APR-12 |
| | products, and products | Products | | |
| | confirmed not vulnerable. | | | |
+---------+----------------------------+----------+---------+-------------+
| | Updated the products under | | | |
| 1.5 | investigation, vulnerable | Affected | Interim | 2022-APR-11 |
| | products, and products | Products | | |
| | confirmed not vulnerable. | | | |
+---------+----------------------------+----------+---------+-------------+
| | Updated the products under | | | |
| 1.4 | investigation, vulnerable | Affected | Interim | 2022-APR-07 |
| | products, and products | Products | | |
| | confirmed not vulnerable. | | | |
+---------+----------------------------+----------+---------+-------------+
| | Updated the products under | | | |
| 1.3 | investigation, vulnerable | Affected | Interim | 2022-APR-06 |
| | products, and products | Products | | |
| | confirmed not vulnerable. | | | |
+---------+----------------------------+----------+---------+-------------+
| | Updated the products under | | | |
| 1.2 | investigation, vulnerable | Affected | Interim | 2022-APR-05 |
| | products, and products | Products | | |
| | confirmed not vulnerable. | | | |
+---------+----------------------------+----------+---------+-------------+
| | Updated the products under | | | |
| 1.1 | investigation, vulnerable | Affected | Interim | 2022-APR-04 |
| | products, and products | Products | | |
| | confirmed not vulnerable. | | | |
+---------+----------------------------+----------+---------+-------------+
| 1.0 | Initial public release. | - | Interim | 2022-APR-01 |
+---------+----------------------------+----------+---------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYY5uNLKJtyKPYoAQhlERAAsDzA9FhjzLiVnjWYIV7OYUptAstBRqfX
7Fqk4hTWdV17Xciu62601HfiNOlZuAiu+YB1jjAOZw7ipfcKkPnGzHyg5YiSc3En
tEgx8bMWxVY3aTR80Ikf8sH3Sd5daZIwYaR0At6DCR/T4ENFBDqjTIJmOh4pUJO1
ANCzu/MRTj7FoQKg5Py6ZcNhX46FQAOuFdWet/oyiOdhWrNI/8QAbRDJmNnyCG4+
GyUBrnZ8uL24V73Tsi0yfjSn1AuqXG1ykveeMsEasmhZi3WHGc6u1DSDkK1L/AMu
JVjkdRlUw5obmAgSZTbV3mNUloVYRT0mMkxjIDAxlEBn4CdCi9dSKYqa6QuxyTs9
QECEeqanxAFXN1Y5AfMCq3KFinhYmIsunB4Cd9VRMR2cea7qAnLkNcRy8xYID91H
eqEeSn+rGdYYJJymLPk1aQbcGQamx2OiPTWNUt2NZ7v9l5QS1z/Yjx9kvnLkg6Uj
znsePjPdKVedgZvOV2xtxSvrz18pY02CYOd7+n7S2X3oGv6xN9hdHwoe9MF1QhXs
p9fqZV/EZ87UOAyiV+vM253wE7MahNl9g0lCoLdykB59yrARMjYA/Ht9tN9u278c
F0LopKvJ4nyyQtIiRFwFXJl4ig2O1QvWqCfPtf1JuNwduHM02z7zOALzlr4LNAF9
hnOH4aqpPOU=
=MKF8
-----END PGP SIGNATURE-----
ESB-2022.1596 - [Ubuntu] Subversion: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1596
USN-5372-1: Subversion vulnerabilities
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Subversion
Publisher: Ubuntu
Operating System: Ubuntu
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24070 CVE-2021-28544
Original Bulletin:
https://ubuntu.com/security/notices/USN-5372-1
Comment: CVSS (Max): 7.5 CVE-2022-24070 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
USN-5372-1: Subversion vulnerabilities
12 April 2022
Several security issues were fixed in Subversion.
Releases
o Ubuntu 21.10
o Ubuntu 20.04 LTS
Packages
o subversion - Advanced version control system
Details
Evgeny Kotkov discovered that Subversion servers did not properly follow
path-based authorization rules in certain cases. An attacker could
potentially use this issue to retrieve information about private paths.
(CVE-2021-28544)
Thomas Weissschuh discovered that Subversion servers did not properly handle
memory in certain configurations. A remote attacker could potentially use
this issue to cause a denial of service or other unspecified impact.
(CVE-2022-24070)
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 21.10
o ruby-svn - 1.14.1-3ubuntu0.1
o python3-subversion - 1.14.1-3ubuntu0.1
o subversion-tools - 1.14.1-3ubuntu0.1
o libapache2-mod-svn - 1.14.1-3ubuntu0.1
o libsvn1 - 1.14.1-3ubuntu0.1
o subversion - 1.14.1-3ubuntu0.1
o libsvn-java - 1.14.1-3ubuntu0.1
o libsvn-perl - 1.14.1-3ubuntu0.1
Ubuntu 20.04
o ruby-svn - 1.13.0-3ubuntu0.1
o subversion-tools - 1.13.0-3ubuntu0.1
o libapache2-mod-svn - 1.13.0-3ubuntu0.1
o python-subversion - 1.13.0-3ubuntu0.1
o libsvn1 - 1.13.0-3ubuntu0.1
o subversion - 1.13.0-3ubuntu0.1
o libsvn-java - 1.13.0-3ubuntu0.1
o libsvn-perl - 1.13.0-3ubuntu0.1
In general, a standard system update will make all the necessary changes.
References
o CVE-2021-28544
o CVE-2022-24070
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYWl+NLKJtyKPYoAQjRsA//ZcyokGtIBhs5Z6PswB/Kkh2UZdZPVcNk
pXrJzXaOPNwowayLcCfj/Adon/kKnf7QAkc3htacx6luV/bLo+MkYzF+FKDWXa2R
7UEMAeqgFkLrfcbi4b2lPGQYRIec02xiJpLQUDcSsGnW0BVrz0gCq4oTSzbSYIfo
PQDAVW9OYaMh12s4I47PDxiFj4vQgLzz/u80GYQMARH2Xa29tennVmqtBqMrXBdL
CMNIvrmd4wtXnuUIxXll1lVbEsBypTTF8vCDZ5E1cxPHmEagryawh/gB/symNOPH
BMdVEBGUv6cjoF0uMz0raRi7YOdEH+KvMNZIB5PmGTShaILtX3njI0Dh0sf+ZoFp
6+3lsSv+riSer4fIngebXS81GWDnaNnTrJP+/vcQ5BE3aT/Cih/OxFWoHpoDAfd2
AqnuskmmfHPA1RMC0mrKZ2Z8g8ZTLtRpBU7+ToeJOi3W1mqoRLSFy85S6lm2coBF
L2hNUbOFO6Gx2LLBe1Ya6lSMxwO4bBoYu3ulq6Q6EdAoMxI+2Z5Z/gS5sJzc2KLS
D4pfYFqj7HUSXxdU3S5lNanGDNDZxS1X7nuaFYXFk6BXuW9OGdVtlAf98Kxvgoa8
v3MPwC1BlUdXYiZIKtF7H0u8phTuUdPd4FGV/+aW813Ux7YeYSWsxaMRBrKFOTrV
P7zH5D1HfbY=
=sOut
-----END PGP SIGNATURE-----
ESB-2022.1595 - [Ubuntu] Git: CVSS (Max): None
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1595
USN-5376-1: Git vulnerability
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Git
Publisher: Ubuntu
Operating System: Ubuntu
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24765
Original Bulletin:
https://ubuntu.com/security/notices/USN-5376-1
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
USN-5376-1: Git vulnerability
12 April 2022
Git could be made to run arbitrary commands in platforms with multiple users
support.
Releases
o Ubuntu 21.10
o Ubuntu 20.04 LTS
o Ubuntu 18.04 LTS
Packages
o git - fast, scalable, distributed revision control system
Details
discovered that Git incorrectly handled certain repository paths
in platforms with multiple users support. An attacker could possibly use
this issue to run arbitrary commands.
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 21.10
o git - 1:2.32.0-1ubuntu1.1
Ubuntu 20.04
o git - 1:2.25.1-1ubuntu3.3
Ubuntu 18.04
o git - 1:2.17.1-1ubuntu0.10
In general, a standard system update will make all the necessary changes.
References
o CVE-2022-24765
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYWj+NLKJtyKPYoAQgfvQ//W3Fj0HbSlgA82ATqUn2WbRgbJJq6qXkG
a2MRCNri/aC2is962s9K2oLLeCAvMb5Wu24al9Fs2o6YAQ1NH9TNnXVKrxJGoewW
f8S8ItBdW2mak1Nlx127aTWWQonyzlOTjQuuVlJjxxxDkyzhsTYuRkYveUr/vgn/
pUxBw/5JQDUIzrWK71COhqk6OnYFkDvZ0cvPzW9ktXhe5p14DxS8lcjish14gp2c
U7Ve9Anx/W6J3prZf7oj7/xtDKpIqOA9tV8iTgNKLGzsopoAquPp8mq4TuwXoaXg
pF5sMSHER5nymDYxRw+isJZ2L9GL0/P9m3vAAyb2o+WlNfyyAUxBeI0iMM05VrBV
JWDkWOUFwxtfZ5MJDmRchUnXImtU/N/LpAfSVtPjGDkR4/5BpBMWJnkaWJLKbCM5
da8KnDaVrjrTgZ30cswXqUqH6SR/43bYiMbQlgpzdMi5dFmVMTT+qaspXz5nk4Mp
fW147iiGjuf7/tjDjH2dvSLBO5GUaYVIzT0adNUSJmZNUvNqt6C6GPojMas5H527
EWv1CIGtX0z81cVmQzkjg0uFJpiAuFhCQ55gMk9pRJfUZm90glXrTM31wS4e8gnJ
6fpuXeFPzT6pbLv5i+884WKhvGrLug40a47P/Kg1azFxDE10iannaGRLrF2iGtKU
kVZmYziR9B4=
=6IKW
-----END PGP SIGNATURE-----
ESB-2022.1594 - [Debian] zabbix: CVSS (Max): 4.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1594
zabbix security update
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: zabbix
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24919 CVE-2022-24917 CVE-2022-24349
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html
Comment: CVSS (Max): 4.4 CVE-2022-24919 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2980-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
April 12, 2022 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : zabbix
Version : 1:3.0.32+dfsg-0+deb9u3
CVE ID : CVE-2022-24349 CVE-2022-24917 CVE-2022-24919
Several security vulnerabilities have been discovered in zabbix, a network
monitoring solution. An authenticated user can create a link with reflected
Javascript code inside it for graphs, actions and services pages and send it to
other users. The payload can be executed only with a known CSRF token value of
the victim, which is changed periodically and is difficult to predict.
For Debian 9 stretch, these problems have been fixed in version
1:3.0.32+dfsg-0+deb9u3.
We recommend that you upgrade your zabbix packages.
For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmJVazRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQwwhAAvmv5Pi5YS/Shw/3BVYWwIemCUQKOJ9kxGFluhjNHcX2mW+TbI8oLs1vJ
wbtnjOMIgeBXBbr5/R4Ix44/btN3e75qYgAvoXccxbDNhiGJZlkdHxy6YJ4Ms35N
1hdQkmtNGFtnrgAT67apurjXPMUiEfqXwlN1LYcCmB+iIhwzLQfO4D0GP4q6BQEc
hRKn3nxwyNCs5Qo4X6bUqkrjg00kD2rd2ucMt7n/ldzESH2IrwOHKaUDTZQ4rvEw
3b9f9s5JXa8q6WtdCLedDTch+V3c4O7OXXZRXJ85w4usNBnhJ8oFYAHtAAvRpPEU
B3JyV+y/SPbpHeVExD1H6+mfEjLVvjQZQa3xn0iLsPGSptHNqqwUIUxMU3R4BjG7
o625pzl3XWSPBzwiyTuY90xxuMJwnDLUKmK2NvU5psu3HOnssvJKnGnNEfN62/iO
TQ7AMTVaavXB8J5oyLWDY0qlheqL6kjmz1O6nR5VMHcCbu2EVH370bNO9uvPqJUJ
bivg6sdRym0qmFLDRQfQ2poe2GHVKdVdNYcJBwLGyu86IcVO6n4ZKmoeLsPY6jTV
OhfvTnl+MpYws3e/5Vgj3nFAdA/ilCbb1ac71snN3qEQoP6M1GnZD9Adn6Plde78
HjC2s27XSb4DExRckj1BVyQuBTUsVywdJIMIqEtNgnEUNKaVOCg=
=L6QL
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYWieNLKJtyKPYoAQgjiw/+PTnNLVCm8G4VDBpZ/G8B0AUQZW75StEX
omVzlLk29cOpwbomudm7BA/mBzmYiiZshX3WJqKsOxMJWOC4tQMpdgyGZxjhSQl4
PepPFvkye9a5Bzu9YgHNqxHGCHtRSDcg+FIpD4pRvL/lT6qO8p47fuXL3essgkuU
S/7E4EB0lHpC+W4MdDPEfh2sxlJJndwceUjlFlt5XW7xASQSazZVELk+bwd/MB8J
pipD6xdUsfn2nfdeogzO1N98aLcTmK2/0t/MzHeS7RlpTjYNUiRYt/+VSLxeEhZ7
26lsCj0tvB+xnGlBJjY/zlNlwi3w6QAhQZYUsagDXhJ5XiCDmhdj1KyYJeT7seJ/
DjZHcJyNdrn0idPVV0Hc46bZiPcp6op1aeNhOvoqpgn3L8lkGSHAMmHYpelKdOVR
cU91vY0xk/mdOAfS1Bt7hsO8cCKX4Oy1K5oJVhZ3SwoLa24fdtMyqAs1mqUpkv9d
sMKJ3hgKi1Sz2ZeBT85YZTQMLba8tROs7DbgUwaYjbZZpwaOdW/eFfdoKMYe7/jQ
noYcGJhn40fxcV0jFrIXarPW1ou4ZZjBPkZjKaNl/551hHsBSVXUyK2CwlmXw7t2
Epal9+eeiTC7nnMzC4z8GBV+7VdAbow0Z4UoGOpe1WbANpjNhp1u23ZN+H5LLqN5
Oc3kNBhfb8M=
=eNiA
-----END PGP SIGNATURE-----
ESB-2022.1593 - [RedHat] Red Hat Integration Camel-K 1.6.5: CVSS (Max): 8.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1593
Red Hat Integration Camel-K 1.6.5 security update
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Integration Camel-K 1.6.5
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22965
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:1333
Comment: CVSS (Max): 8.1 CVE-2022-22965 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: Red Hat Integration Camel-K 1.6.5 security update
Advisory ID: RHSA-2022:1333-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1333
Issue date: 2022-04-12
CVE Names: CVE-2022-22965
=====================================================================
1. Summary:
A micro version update (from 1.6.4 to 1.6.5) is now available for Red Hat
Integration Camel K. The purpose of this text-only errata is to inform you
about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
A micro version update (from 1.6.4 to 1.6.5) is now available for Red Hat
Camel K that includes CVE fixes in the base images, which are documented in
the Release Notes document linked in the References section.
Security Fix(es):
* spring-beans: spring-framework: RCE via Data Binding on JDK 9+
(CVE-2022-22965)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2070348 - CVE-2022-22965 spring-framework: RCE via Data Binding on JDK 9+
5. References:
https://access.redhat.com/security/cve/CVE-2022-22965
https://access.redhat.com/security/vulnerabilities/RHSB-2022-003
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q2
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q1
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYlX6IdzjgjWX9erEAQjfGQ//ff8/J2BxiGKD0zB6RGPrgwCaSvkVtV7y
8Lld/xKCQApjQzVXeM8pfkbhIn0+YwV41raVatrc7c8s8iKGcddyF4h7rQpk78eF
+X+S/6oB63e78O/bCRRYsQFCYaAYt+JDVrG4WAwbDJ27sUGQ+99hC69Zv7cBvH5u
oCAa9YjMZddlBZmYmSsfSx2VqPfRQNNEczL0DJYpwZtsNmgQxeQiU1e9advtr/wW
7Wfev8zuUy9UlbNjzFVi+ynvzeNOOYomAfpyRYMxfY6IeOvfDsfiAKhi/PfQIX3L
oCGxfGzP58AAeeb4OGIhTY9Z+yXUwYjmgIiwIpOfbz4+ewos6it6XUXqdYMKYFSd
QTs/tWDftxZquB0Zg4DkAHlNFfJPSN3M4HVsOOczIV6cR1G5DNLsOLACCjJOe9py
6bwgpB0E0yjkMAxokLyETwv8j9NskwMV9ns4nTge7HiGOybZXwXGXKn/gya63uUp
NFvHdAuAqzP5Omh6DOTgHzc4sKv1SRVAwI3cokCcoKmzkLwXNGYZC3jh42xhBZDj
m8OEmHOhtWdo6rBNN0lc1gjIdzHIQXFS+qhlicqD1JGvhSDCqSQOVP3Z1YwKJO6q
R4r9nB+kN/u3yBMuuGD8WCB6w4y6TV3d5MoAi4l0gu6alHBsTrE0r5tLRNGTstI6
2e9xMQYImAM=
=JwkL
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYWb+NLKJtyKPYoAQizkA/9Fys+1OFq+tygIbCnrAI+WNh1tXT2f8YX
k7UPDz/O2yI07X6Ovs+dzYDQhdD+NQLslXTTtDdMMsjyrickgbOo/FlYNmNUKEGw
pk4rMT0O8aZ2egF8kR4q6gV51BYcSfHvaVG82SOCSp1/E+YMFS6BAn3NS+8O4FWi
Urunhb6hhchUee2nFryTtPj1e+n+NZ36qha30QqqoKgTV6J262F6Vvt7ogrZr9Ut
utMaduYDDHtnHsFXPUC/Lz/giEn31TmgstB7Zcq4KikoeXYJvdqycF8bUyGSbdVR
2PMgxZBb2KhG/9wmSSEirz5F0oLkgQ18jb9KbRTkAj73RmISdK4nPFHrA1y792+1
TOjilxEJ/x4i5BIJjgeJh2ScIpGteTu+rTNNjAVIRr8omSMOMPT0X3d0X88JlMX6
FgAqOCs53R2SkPIek0c8tTP9BKqAG90mLQkI/OKw9EJaDQkGoWqYLr0qR4qj7Eya
vaa/shVuWTza3qe6sz1xGw1MjaQsYbFMgthTbjLYUaq8zYBjmgZuFz9YYY3Vu7ZZ
M7fdnbEcncchBSq0yZoi+AU5P3w1n6Exa/DMw5G/5MeA1YWNeFqPcm4E4gYd8ZS9
Iq8I4qKolULdJO1i8lQmjyRtISYJL9q0vwAFI4ILoPACnxLqDvbFUVauLxYzf0Ml
xwi/PW4ne9g=
=6zCs
-----END PGP SIGNATURE-----
ESB-2022.1592 - [SUSE] xz: CVSS (Max): 8.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1592
Security update for xz
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xz
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1271
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221160-1
Comment: CVSS (Max): 8.4 CVE-2022-1271 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for xz
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1160-1
Rating: important
References: #1198062
Cross-References: CVE-2022-1271
Affected Products:
HPE Helion Openstack 8
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP3-LTSS
SUSE Linux Enterprise Server 12-SP4-LTSS
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server for SAP 12-SP3
SUSE Linux Enterprise Server for SAP 12-SP4
SUSE Linux Enterprise Server for SAP Applications 12-SP5
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for xz fixes the following issues:
o CVE-2022-1271: Fixed an incorrect escaping of malicious filenames
(ZDI-CAN-16587). (bsc#1198062)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-1160=1
o SUSE OpenStack Cloud Crowbar 8:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2022-1160=1
o SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2022-1160=1
o SUSE OpenStack Cloud 8:
zypper in -t patch SUSE-OpenStack-Cloud-8-2022-1160=1
o SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-1160=1
o SUSE Linux Enterprise Server for SAP 12-SP4:
zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-1160=1
o SUSE Linux Enterprise Server for SAP 12-SP3:
zypper in -t patch SUSE-SLE-SAP-12-SP3-2022-1160=1
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-1160=1
o SUSE Linux Enterprise Server 12-SP4-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-1160=1
o SUSE Linux Enterprise Server 12-SP3-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2022-1160=1
o SUSE Linux Enterprise Server 12-SP3-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-1160=1
o SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-1160=1
o HPE Helion Openstack 8:
zypper in -t patch HPE-Helion-OpenStack-8-2022-1160=1
Package List:
o SUSE OpenStack Cloud Crowbar 9 (noarch):
xz-lang-5.0.5-6.7.1
o SUSE OpenStack Cloud Crowbar 9 (x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE OpenStack Cloud Crowbar 8 (noarch):
xz-lang-5.0.5-6.7.1
o SUSE OpenStack Cloud Crowbar 8 (x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE OpenStack Cloud 9 (x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE OpenStack Cloud 9 (noarch):
xz-lang-5.0.5-6.7.1
o SUSE OpenStack Cloud 8 (noarch):
xz-lang-5.0.5-6.7.1
o SUSE OpenStack Cloud 8 (x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le
s390x x86_64):
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
xz-devel-5.0.5-6.7.1
o SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE Linux Enterprise Server for SAP 12-SP4 (noarch):
xz-lang-5.0.5-6.7.1
o SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
o SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
o SUSE Linux Enterprise Server for SAP 12-SP3 (noarch):
xz-lang-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP5 (noarch):
xz-lang-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP4-LTSS (noarch):
xz-lang-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP3-LTSS (noarch):
xz-lang-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP3-BCL (noarch):
xz-lang-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP2-BCL (noarch):
xz-lang-5.0.5-6.7.1
o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
o HPE Helion Openstack 8 (noarch):
xz-lang-5.0.5-6.7.1
o HPE Helion Openstack 8 (x86_64):
liblzma5-32bit-5.0.5-6.7.1
liblzma5-5.0.5-6.7.1
liblzma5-debuginfo-32bit-5.0.5-6.7.1
liblzma5-debuginfo-5.0.5-6.7.1
xz-5.0.5-6.7.1
xz-debuginfo-5.0.5-6.7.1
xz-debugsource-5.0.5-6.7.1
References:
o https://www.suse.com/security/cve/CVE-2022-1271.html
o https://bugzilla.suse.com/1198062
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYWG+NLKJtyKPYoAQgnjhAAhs2muCCd5dr6JvNr9ba//C3Av1v4aKNz
lOXkA9SyT24Ao7KSPyfgpoV3jtn36//75d1J4eCpwEpVC5+Om2V2L8M17jgFrIfL
+ilYG9X80AdsHbPqpqfp38xAHD+6mf06JSjNuHsI1u/uy7AGCVfqCCzdBBY1MVWh
N3cDJP4U3D6hyrE00yq54Fp05hj5TeBmrC2d4om8KIqegGLttJ2MNxb7/fo7TYv2
MsQRVfZ7n8gMrhfyIaLaF2DeNehODbabc8SasCZtVa8pEKn9g7Ey2qC/nAcZo+Ps
M6OljmcylB1R/HAl1e6WziVqwTHTvoSdHmX24hSCR3+C6bPd6x9oy54T7G9CGPIM
EEtPAOccYJBV35gqvCCWCVcKrp4PPBEqnZ/V+SkMA9n4oRIq+Upk+DO2pmkQRSA6
xi4vwr2jbUM68irXkw1rfGVJrXCRzs37KZjCZOgLUnss1rBrtSqBCJlXwL74F1Tp
38mdxUjQqjRqpC3KO+5C5NiS/bshb77yqnp90Pq2wDn6rT3Tip3xtjEJM7yC3r5f
9xlsHu2oNflUL/iIhi4oEtRQo1zmrFD/Z+jBNJNyBnUpIJAYMwSsKWSw3WFadXez
jFhhgNH0S5qg9yNlFqJcZUgxCBwW15thcPk74gXXn3DvVtYnPb3QkImhEtbseB/M
7d2YXOnVLZU=
=VGyB
-----END PGP SIGNATURE-----
ESB-2022.1591 - [SUSE] xz: CVSS (Max): 8.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1591
Security update for xz
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xz
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1271
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221158-1
Comment: CVSS (Max): 8.4 CVE-2022-1271 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for xz
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1158-1
Rating: important
References: #1198062
Cross-References: CVE-2022-1271
Affected Products:
SUSE CaaS Platform 4.0
SUSE Enterprise Storage 6
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-ESPOS
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP4
SUSE Linux Enterprise Micro 5.0
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Micro 5.2
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP4
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP 15
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP4
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for xz fixes the following issues:
o CVE-2022-1271: Fixed an incorrect escaping of malicious filenames
(ZDI-CAN-16587). (bsc#1198062)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1158=1
o openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1158=1
o SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1158=1
o SUSE Manager Retail Branch Server 4.1:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1158=1
o SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1158=1
o SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1158=1
o SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1158=1
o SUSE Linux Enterprise Server for SAP 15:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-1158=1
o SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1158=1
o SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1158=1
o SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1158=1
o SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1158=1
o SUSE Linux Enterprise Server 15-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-2022-1158=1
o SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1158=1
o SUSE Linux Enterprise Module for Basesystem 15-SP4:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1158=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1158=1
o SUSE Linux Enterprise Micro 5.2:
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-1158=1
o SUSE Linux Enterprise Micro 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1158=1
o SUSE Linux Enterprise Micro 5.0:
zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-1158=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1158=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1158=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1158=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1158=1
o SUSE Linux Enterprise High Performance Computing 15-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1158=1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1158=1
o SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1158=1
o SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-1158=1
o SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform 'skuba' tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.
Package List:
o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o openSUSE Leap 15.4 (noarch):
xz-lang-5.2.3-150000.4.7.1
o openSUSE Leap 15.4 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
xz-devel-32bit-5.2.3-150000.4.7.1
o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o openSUSE Leap 15.3 (noarch):
xz-lang-5.2.3-150000.4.7.1
o openSUSE Leap 15.3 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
xz-devel-32bit-5.2.3-150000.4.7.1
o SUSE Manager Server 4.1 (ppc64le s390x x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Manager Server 4.1 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Manager Server 4.1 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Manager Retail Branch Server 4.1 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Manager Retail Branch Server 4.1 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Manager Proxy 4.1 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Manager Proxy 4.1 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server for SAP 15 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server for SAP 15 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP2-BCL (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP1-BCL (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Server 15-LTSS (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Realtime Extension 15-SP2 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x
x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Module for Basesystem 15-SP4 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Module for Basesystem 15-SP4 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
o SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64
x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64
x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64
x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64
x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Enterprise Storage 7 (aarch64 x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Enterprise Storage 7 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Enterprise Storage 7 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE Enterprise Storage 6 (aarch64 x86_64):
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE Enterprise Storage 6 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
o SUSE Enterprise Storage 6 (noarch):
xz-lang-5.2.3-150000.4.7.1
o SUSE CaaS Platform 4.0 (x86_64):
liblzma5-32bit-5.2.3-150000.4.7.1
liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1
liblzma5-5.2.3-150000.4.7.1
liblzma5-debuginfo-5.2.3-150000.4.7.1
xz-5.2.3-150000.4.7.1
xz-debuginfo-5.2.3-150000.4.7.1
xz-debugsource-5.2.3-150000.4.7.1
xz-devel-5.2.3-150000.4.7.1
xz-static-devel-5.2.3-150000.4.7.1
o SUSE CaaS Platform 4.0 (noarch):
xz-lang-5.2.3-150000.4.7.1
References:
o https://www.suse.com/security/cve/CVE-2022-1271.html
o https://bugzilla.suse.com/1198062
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYWEeNLKJtyKPYoAQg+3w/+IeolCqKBH6+AVwd+SuKT/vKf/feuSGmk
E6XVXJtLzm91vc7AJalRPy8pOI9qLUlcYra2JapUkr9/h1snlaj0iwe+1vGsBz0C
cn7YUt2OKqpTz/Ulh/ax8W2LSscT83uLnP+mSjriRJ+s0aEelXJ3MowoAQcXVkg2
8ZaSFKLsn6uAq8iu6C3F75xoc5LQW5VA1HCefyId3jKndpdUpvpd1yw+HBcM95ia
Qo3zZ4K69yzj+WxPQ0pAF/wiOJgL3pnuEACWM3ln/cReL3YzHaSF0iEq9D1BX8ML
+hbNpxi9n0v38GF8Mgifx/4vksqRTVR9GVwBlyuq8dHyFcszsIraQxDd5WDaRGbe
vug1n+rh2ORNNoFwOJO8TbaaghmulhnptofeC9QumIeMWRMg/wsDTxz61sTNGr8n
9pkBiY2H84vw9G6J3rTYOneYXe7YgDfruQQJnefgW+/Wv7Nn51mzSaZbyE3EYSBS
C8NMQ8TOeLHdYotJMnkFjww92PBTZhk1LWN3Ahk7RGpvHSqNAIuPOAdAdKXwJ5dP
xJqLFVhiCrRYRWhy0j2XCFkmX9VRsUzhWB6aIcLl1MFAmOH0hYNg5N23N++IAyrN
xF9hLGN+bHy+KsF+UVQmIAPBA5L/TPo6/afxIEe+hPyUKxxFccFgSv4LAr7zi2aB
A8amhhU/GXk=
=VUSR
-----END PGP SIGNATURE-----
ESB-2022.1590 - [SUSE] xz: CVSS (Max): 8.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1590
Security update for xz
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xz
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1271
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-202214938-1
Comment: CVSS (Max): 8.4 CVE-2022-1271 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for xz
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:14938-1
Rating: important
References: #1198062
Cross-References: CVE-2022-1271
Affected Products:
SUSE Linux Enterprise Debuginfo 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP4
SUSE Linux Enterprise Point of Sale 11-SP3
SUSE Linux Enterprise Server 11-SP4-LTSS
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for xz fixes the following issues:
o CVE-2022-1271: Fixed an incorrect escaping of malicious filenames
(ZDI-CAN-16587). (bsc#1198062)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Server 11-SP4-LTSS:
zypper in -t patch slessp4-xz-14938=1
o SUSE Linux Enterprise Point of Sale 11-SP3:
zypper in -t patch sleposp3-xz-14938=1
o SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-xz-14938=1
o SUSE Linux Enterprise Debuginfo 11-SP3:
zypper in -t patch dbgsp3-xz-14938=1
Package List:
o SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64):
liblzma5-5.0.3-0.12.7.1
xz-5.0.3-0.12.7.1
xz-lang-5.0.3-0.12.7.1
o SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64):
liblzma5-32bit-5.0.3-0.12.7.1
o SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
liblzma5-5.0.3-0.12.7.1
xz-5.0.3-0.12.7.1
xz-lang-5.0.3-0.12.7.1
o SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):
xz-debuginfo-5.0.3-0.12.7.1
xz-debugsource-5.0.3-0.12.7.1
o SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):
xz-debuginfo-5.0.3-0.12.7.1
xz-debugsource-5.0.3-0.12.7.1
References:
o https://www.suse.com/security/cve/CVE-2022-1271.html
o https://bugzilla.suse.com/1198062
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYWBuNLKJtyKPYoAQiB8xAAnH23Shr1779thCAJ8SxdlFHsmmUwO3Xo
x3nIQS/Q8j4Y6gHxr/P6QCmvUUVmnAnFz6l75Z9VttQVc0ayj+GlEeAJOSaZPV2j
cXxc4Mh2+Ttg4op69peKsV/ZSzrx72UoFS3aLJKP/pcFrEu7GAzKPNJWC+v5GDze
F/fN5wB7S07YjLir2gUYBz3R4VmzI1G33g/xr+Kgv5uNvIcIjNqgI7KvPenke0UY
SsEavzZOAvhH9OQR4uMmgff6ebvBj7hlzD40lLmat6IvD5lW+tDd1+kYTxzrhYfu
NfIiym+IbvqYkGMq4dFgyxQ3h61u8+8nMcdM9mNKh2eeVBcey0ktQCkIzRGdnCoC
zgZ71BYRrH4msLfZq9yKUXjGY6p/Xw3z7/tiiymG3Ahr294VdCmg+fLtH0bNQq0N
0RdDnLs51rM3dtnOI+Xm2HiAP0YUoy+pvk4SjZz5AP97Pq7Z555Nv5yGPgXwyug/
sxHifaDzGTV3pMC2JFn9zQxCJxzZ+07s4eyeMDGfCAW9U3BNhNsH0WoWi3H6W3Rw
juP77j/ETlkrCKNeVz4gjwSdogajmtKRQz5klW2yDUxIXoq6ddEciSpDqyFd6HbK
r6ceWkJTgu4IhnvJ4tvvwZT4Xz+BvatBiF7CCapIWt/XiZZOg/p9vaVY36A/2uGQ
SH3LLBCZ7Bk=
=HFeC
-----END PGP SIGNATURE-----
ESB-2022.1589 - [SUSE] Linux Kernel: CVSS (Max): 8.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1589
Security update for the Linux Kernel
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Linux Kernel
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-28390 CVE-2022-28389 CVE-2022-28388
CVE-2022-27666 CVE-2022-27223 CVE-2022-23042
CVE-2022-23041 CVE-2022-23040 CVE-2022-23039
CVE-2022-23038 CVE-2022-23037 CVE-2022-23036
CVE-2022-1205 CVE-2022-1199 CVE-2022-1198
CVE-2022-1195 CVE-2022-1055 CVE-2022-1048
CVE-2022-1016 CVE-2022-1011 CVE-2022-0854
CVE-2022-0850 CVE-2021-45868 CVE-2021-45402
CVE-2021-39698
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221163-1
Comment: CVSS (Max): 8.4 CVE-2022-1055 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1163-1
Rating: important
References: #1065729 #1156395 #1175667 #1177028 #1178134 #1179639
#1180153 #1189562 #1194589 #1194625 #1194649 #1194943
#1195051 #1195353 #1195640 #1195926 #1196018 #1196130
#1196196 #1196478 #1196488 #1196761 #1196823 #1196956
#1197227 #1197243 #1197245 #1197300 #1197302 #1197331
#1197343 #1197366 #1197389 #1197460 #1197462 #1197501
#1197534 #1197661 #1197675 #1197677 #1197702 #1197811
#1197812 #1197815 #1197817 #1197819 #1197820 #1197888
#1197889 #1197894 #1198027 #1198028 #1198029 #1198030
#1198031 #1198032 #1198033 #1198077
Cross-References: CVE-2021-39698 CVE-2021-45402 CVE-2021-45868 CVE-2022-0850
CVE-2022-0854 CVE-2022-1011 CVE-2022-1016 CVE-2022-1048
CVE-2022-1055 CVE-2022-1195 CVE-2022-1198 CVE-2022-1199
CVE-2022-1205 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038
CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042
CVE-2022-27223 CVE-2022-27666 CVE-2022-28388 CVE-2022-28389
CVE-2022-28390
Affected Products:
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Module for Public Cloud 15-SP3
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
______________________________________________________________________________
An update that solves 25 vulnerabilities and has 33 fixes is now available.
Description:
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security
and bugfixes.
The following security bugs were fixed:
o CVE-2022-0854: Fixed a memory leak flaw was found in the Linux kernels DMA
subsystem. This flaw allowed a local user to read random memory from the
kernel space. (bnc#1196823)
o CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the
netfilter subsystem. This vulnerability gives an attacker a powerful
primitive that can be used to both read from and write to relative stack
data, which can lead to arbitrary code execution. (bsc#1197227)
o CVE-2022-1199: Fixed null-ptr-deref and use-after-free vulnerabilities that
allow an attacker to crash the linux kernel by simulating Amateur Radio.
(bsc#1198028)
o CVE-2022-1205: Fixed null pointer dereference and use-after-free
vulnerabilities that allow an attacker to crash the linux kernel by
simulating Amateur Radio. (bsc#1198027)
o CVE-2022-1198: Fixed an use-after-free vulnerability that allow an attacker
to crash the linux kernel by simulating Amateur Radio (bsc#1198030).
o CVE-2022-1195: Fixed an use-after-free vulnerability which could allow a
local attacker with a user privilege to execute a denial of service. (bsc#
1198029)
o CVE-2022-28389: Fixed a double free in drivers/net/can/usb/mcba_usb.c
vulnerability in the Linux kernel. (bnc#1198033)
o CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c
vulnerability in the Linux kernel. (bnc#1198032)
o CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c
vulnerability in the Linux kernel. (bnc#1198031)
o CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to
use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock. (bsc#
1197331)
o CVE-2022-1055: Fixed a use-after-free in tc_new_tfilter that could allow a
local attacker to gain privilege escalation. (bnc#1197702)
o CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c.
(bsc#1196761)
o CVE-2022-27666: Fixed a buffer overflow vulnerability in IPsec ESP
transformation code. This flaw allowed a local attacker with a normal user
privilege to overwrite kernel heap objects and may cause a local privilege
escalation. (bnc#1197462)
o CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c
which could lead to an use-after-free if there is a corrupted quota file.
(bnc#1197366)
o CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a
local attacker to retireve (partial) /etc/shadow hashes or any other data
from filesystem when he can mount a FUSE filesystems. (bnc#1197343)
o CVE-2022-27223: Fixed an out-of-array access in /usb/gadget/udc/
udc-xilinx.c. (bsc#1197245)
o CVE-2021-39698: Fixed a possible memory corruption due to a use after free
in aio_poll_complete_work. This could lead to local escalation of privilege
with no additional execution privileges needed. (bsc#1196956)
o CVE-2021-45402: Fixed a pointer leak in check_alu_op() of kernel/bpf/
verifier.c. (bsc#1196130). -
CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,
CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to
read/write access to memory pages or denial of service. These issues are
related to the Xen PV device frontend drivers. (bsc#1196488)
The following non-security bugs were fixed:
o ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board
(git-fixes).
o ACPI: APEI: fix return value of __setup handlers (git-fixes).
o ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3
(git-fixes).
o ACPI: CPPC: Avoid out of bounds access when parsing _CPC data (git-fixes).
o ACPI: docs: enumeration: Discourage to use custom _DSM methods (git-fixes).
o ACPI: docs: enumeration: Remove redundant .owner assignment (git-fixes).
o ACPI: properties: Consistently return -ENOENT if there are no more
references (git-fixes).
o ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU
(git-fixes).
o ALSA: cmipci: Restore aux vol on suspend/resume (git-fixes).
o ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
(git-fixes).
o ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671
(git-fixes).
o ALSA: hda/realtek: Add quirk for ASUS GA402 (git-fixes).
o ALSA: oss: Fix PCM OSS buffer allocation overflow (git-fixes).
o ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec
(git-fixes).
o ALSA: pcm: Add stream lock during PCM reset ioctl operations (git-fixes).
o ALSA: spi: Add check for clk_enable() (git-fixes).
o ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB
(git-fixes).
o ASoC: atmel_ssc_dai: Handle errors for clk_enable (git-fixes).
o ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe
(git-fixes).
o ASoC: codecs: wcd934x: Add missing of_node_put() in
wcd934x_codec_parse_data (git-fixes).
o ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put
(git-fixes).
o ASoC: dmaengine: do not use a NULL prepare_slave_config() callback
(git-fixes).
o ASoC: dwc-i2s: Handle errors for clk_enable (git-fixes).
o ASoC: fsi: Add check for clk_enable (git-fixes).
o ASoC: fsl_spdif: Disable TX clock when stop (git-fixes).
o ASoC: imx-es8328: Fix error return code in imx_es8328_probe() (git-fixes).
o ASoC: msm8916-wcd-analog: Fix error handling in
pm8916_wcd_analog_spmi_probe (git-fixes).
o ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in
msm8916_wcd_digital_probe (git-fixes).
o ASoC: mxs-saif: Handle errors for clk_enable (git-fixes).
o ASoC: mxs: Fix error handling in mxs_sgtl5000_probe (git-fixes).
o ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp()
(git-fixes).
o ASoC: SOF: Add missing of_node_put() in imx8m_probe (git-fixes).
o ASoC: SOF: topology: remove redundant code (git-fixes).
o ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call (git-fixes).
o ASoC: ti: davinci-i2s: Add check for clk_enable() (git-fixes).
o ASoC: topology: Allow TLV control to be either read or write (git-fixes).
o ASoC: topology: Optimize soc_tplg_dapm_graph_elems_load behavior
(git-fixes).
o ASoC: wm8350: Handle error for wm8350_register_irq (git-fixes).
o ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting (git-fixes).
o ax25: Fix NULL pointer dereference in ax25_kill_by_device (git-fixes).
o ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32 (bsc#
1196018).
o block: update io_ticks when io hang (bsc#1197817).
o block/wbt: fix negative inflight counter when remove scsi device (bsc#
1197819).
o bpf: Fix comment for helper bpf_current_task_under_cgroup() (git-fixes).
o bpf: Remove config check to enable bpf support for branch records
(git-fixes bsc#1177028).
o btrfs: avoid unnecessary lock and leaf splits when updating inode in the
log (bsc#1194649).
o btrfs: avoid unnecessary log mutex contention when syncing log (bsc#
1194649).
o btrfs: avoid unnecessary logging of xattrs during fast fsyncs (bsc#
1194649).
o btrfs: check error value from btrfs_update_inode in tree log (bsc#1194649).
o btrfs: check if a log root exists before locking the log_mutex on unlink
(bsc#1194649).
o btrfs: check if a log tree exists at inode_logged() (bsc#1194649).
o btrfs: do not commit delayed inode when logging a file in full sync mode
(bsc#1194649).
o btrfs: do not log new dentries when logging that a new name exists (bsc#
1194649).
o btrfs: eliminate some false positives when checking if inode was logged
(bsc#1194649).
o btrfs: fix race leading to unnecessary transaction commit when logging
inode (bsc#1194649).
o btrfs: fix race that causes unnecessary logging of ancestor inodes (bsc#
1194649).
o btrfs: fix race that makes inode logging fallback to transaction commit
(bsc#1194649).
o btrfs: fix race that results in logging old extents during a fast fsync
(bsc#1194649).
o btrfs: fixup error handling in fixup_inode_link_counts (bsc#1194649).
o btrfs: remove no longer needed full sync flag check at inode_logged() (bsc#
1194649).
o btrfs: Remove unnecessary check from join_running_log_trans (bsc#1194649).
o btrfs: remove unnecessary directory inode item update when deleting dir
entry (bsc#1194649).
o btrfs: remove unnecessary list head initialization when syncing log (bsc#
1194649).
o btrfs: skip unnecessary searches for xattrs when logging an inode (bsc#
1194649).
o can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error
path (git-fixes).
o can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error
path (git-fixes).
o can: mcba_usb: properly check endpoint type (git-fixes).
o can: rcar_canfd: rcar_canfd_channel_probe(): register the CAN device when
fully ready (git-fixes).
o cifs: do not skip link targets when an I/O fails (bsc#1194625).
o cifs: use the correct max-length for dentry_path_raw() (bsc1196196).
o clk: actions: Terminate clk_div_table with sentinel element (git-fixes).
o clk: bcm2835: Remove unused variable (git-fixes).
o clk: clps711x: Terminate clk_div_table with sentinel element (git-fixes).
o clk: imx7d: Remove audio_mclk_root_clk (git-fixes).
o clk: Initialize orphan req_rate (git-fixes).
o clk: loongson1: Terminate clk_div_table with sentinel element (git-fixes).
o clk: nxp: Remove unused variable (git-fixes).
o clk: qcom: gcc-msm8994: Fix gpll4 width (git-fixes).
o clk: qcom: ipq8074: Use floor ops for SDCC1 clock (git-fixes).
o clk: tegra: tegra124-emc: Fix missing put_device() call in
emc_ensure_emc_driver (git-fixes).
o clk: uniphier: Fix fixed-rate initialization (git-fixes).
o clocksource: acpi_pm: fix return value of __setup handler (git-fixes).
o clocksource/drivers/timer-of: Check return value of of_iomap in
timer_of_base_init() (git-fixes).
o cpufreq: schedutil: Destroy mutex before kobject_put() frees (git-fixes)
o crypto: authenc - Fix sleep in atomic context in decrypt_tail (git-fixes).
o crypto: cavium/nitrox - do not cast parameter in bit operations
(git-fixes).
o crypto: ccp - ccp_dmaengine_unregister release dma channels (git-fixes).
o crypto: ccree - do not attempt 0 len DMA mappings (git-fixes).
o crypto: mxs-dcp - Fix scatterlist processing (git-fixes).
o crypto: qat - do not cast parameter in bit operations (git-fixes).
o crypto: rsa-pkcs1pad - correctly get hash from source scatterlist
(git-fixes).
o crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete()
(git-fixes).
o crypto: rsa-pkcs1pad - restore signature length check (git-fixes).
o crypto: vmx - add missing dependencies (git-fixes).
o dma/pool: create dma atomic pool only if dma zone has managed pages (bsc#
1197501).
o driver core: dd: fix return value of __setup handler (git-fixes).
o drm: bridge: adv7511: Fix ADV7535 HPD enablement (git-fixes).
o drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug
(git-fixes).
o drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function
(git-fixes).
o drm/bridge: dw-hdmi: use safe format when first in bridge chain
(git-fixes).
o drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe
(git-fixes).
o drm/doc: overview before functions for drm_writeback.c (git-fixes).
o drm/i915: Fix dbuf slice config lookup (git-fixes).
o drm/i915/gem: add missing boundary check in vm_access (git-fixes).
o drm/imx: parallel-display: Remove bus flags check in
imx_pd_bridge_atomic_check() (git-fixes).
o drm/meson: Fix error handling when afbcd.ops->init fails (git-fixes).
o drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops
(git-fixes).
o drm/msm/dpu: add DSPP blocks teardown (git-fixes).
o drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl()
(git-fixes).
o drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings (git-fixes).
o drm/sun4i: mixer: Fix P010 and P210 format numbers (git-fixes).
o drm/vc4: crtc: Fix runtime_pm reference counting (git-fixes).
o drm/vc4: crtc: Make sure the HDMI controller is powered when disabling
(git-fixes).
o drm/vrr: Set VRR capable prop only if it is attached to connector
(git-fixes).
o Drop HID multitouch fix patch (bsc#1197243),
o ecryptfs: fix kernel panic with null dev_name (bsc#1197812).
o ecryptfs: Fix typo in message (bsc#1197811).
o EDAC: Fix calculation of returned address and next offset in edac_align_ptr
() (bsc#1178134).
o ext2: correct max file size computing (bsc#1197820).
o firmware: google: Properly state IOMEM dependency (git-fixes).
o firmware: qcom: scm: Remove reassignment to desc following initializer
(git-fixes).
o fscrypt: do not ignore minor_hash when hash is 0 (bsc#1197815).
o gianfar: ethtool: Fix refcount leak in gfar_get_ts_info (git-fixes).
o gpio: ts4900: Do not set DAT and OE together (git-fixes).
o gpiolib: acpi: Convert ACPI value of debounce to microseconds (git-fixes).
o HID: multitouch: fix Dell Precision 7550 and 7750 button type (bsc#
1197243).
o hwmon: (pmbus) Add mutex to regulator ops (git-fixes).
o hwmon: (pmbus) Add Vin unit off handling (git-fixes).
o hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING
(git-fixes).
o hwrng: atmel - disable trng on failure path (git-fixes).
o i915_vma: Rename vma_lookup to i915_vma_lookup (git-fixes).
o ibmvnic: fix race between xmit and reset (bsc#1197302 ltc#197259).
o iio: accel: mma8452: use the correct logic to get mma8452_data (git-fixes).
o iio: adc: Add check for devm_request_threaded_irq (git-fixes).
o iio: afe: rescale: use s64 for temporary scale calculations (git-fixes).
o iio: inkern: apply consumer scale on IIO_VAL_INT cases (git-fixes).
o iio: inkern: apply consumer scale when no channel scale is available
(git-fixes).
o iio: inkern: make a best effort on offset calculation (git-fixes).
o Input: aiptek - properly check endpoint type (git-fixes).
o iwlwifi: do not advertise TWT support (git-fixes).
o kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
o KVM: SVM: Do not flush cache if hardware enforces cache coherency across
encryption domains (bsc#1178134).
o llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
o mac80211: fix potential double free on mesh join (git-fixes).
o mac80211: refuse aggregations sessions before authorized (git-fixes).
o media: aspeed: Correct value for h-total-pixels (git-fixes).
o media: bttv: fix WARNING regression on tunerless devices (git-fixes).
o media: coda: Fix missing put_device() call in coda_get_vdoa_data
(git-fixes).
o media: davinci: vpif: fix unbalanced runtime PM get (git-fixes).
o media: em28xx: initialize refcount before kref_get (git-fixes).
o media: hantro: Fix overfill bottom register field name (git-fixes).
o media: Revert "media: em28xx: add missing em28xx_close_extension"
(git-fixes).
o media: stk1160: If start stream fails, return buffers with
VB2_BUF_STATE_QUEUED (git-fixes).
o media: usb: go7007: s2250-board: fix leak in probe() (git-fixes).
o media: video/hdmi: handle short reads of hdmi info frame (git-fixes).
o membarrier: Execute SYNC_CORE on the calling thread (git-fixes)
o membarrier: Explicitly sync remote cores when SYNC_CORE is (git-fixes)
o memory: emif: Add check for setup_interrupts (git-fixes).
o memory: emif: check the pointer temp in get_device_details() (git-fixes).
o misc: alcor_pci: Fix an error handling path (git-fixes).
o misc: sgi-gru: Do not cast parameter in bit operations (git-fixes).
o mm_zone: add function to check if managed dma zone exists (bsc#1197501).
o mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed
pages (bsc#1197501).
o mmc: davinci_mmc: Handle error for clk_enable (git-fixes).
o mmc: meson: Fix usage of meson_mmc_post_req() (git-fixes).
o net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add
(git-fixes).
o net: enetc: initialize the RFS and RSS memories (git-fixes).
o net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx()
(git-fixes).
o net: phy: broadcom: Fix brcm_fet_config_init() (git-fixes).
o net: phy: DP83822: clear MISR2 register to disable interrupts (git-fixes).
o net: phy: marvell: Fix invalid comparison in the resume and suspend
functions (git-fixes).
o net: stmmac: set TxQ mode back to DCB after disabling CBS (git-fixes).
o net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (bsc#
1196018).
o net: watchdog: hold device global xmit lock during tx disable (git-fixes).
o net/smc: Fix loop in smc_listen (git-fixes).
o net/smc: fix using of uninitialized completions (git-fixes).
o net/smc: fix wrong list_del in smc_lgr_cleanup_early (git-fixes).
o net/smc: Make sure the link_id is unique (git-fixes).
o net/smc: Reset conn->lgr when link group registration fails (git-fixes).
o netfilter: conntrack: do not refresh sctp entries in closed state (bsc#
1197389).
o netxen_nic: fix MSI/MSI-x interrupts (git-fixes).
o NFC: port100: fix use-after-free in port100_send_complete (git-fixes).
o NFS: Avoid duplicate uncached readdir calls on eof (git-fixes).
o NFS: Do not report writeback errors in nfs_getattr() (git-fixes).
o NFS: Do not skip directory entries when doing uncached readdir (git-fixes).
o NFS: Ensure the server had an up to date ctime before hardlinking
(git-fixes).
o NFS: Fix initialisation of nfs_client cl_flags field (git-fixes).
o NFS: LOOKUP_DIRECTORY is also ok with symlinks (git-fixes).
o NFS: Return valid errors from nfs2/3_decode_dirent() (git-fixes).
o NFS: Use of mapping_set_error() results in spurious errors (git-fixes).
o nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client
(git-fixes).
o NFSv4.1: do not retry BIND_CONN_TO_SESSION on session error (git-fixes).
o NFSv4/pNFS: Fix another issue with a list iterator pointing to the head
(git-fixes).
o pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init (git-fixes).
o pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get
() (git-fixes).
o pinctrl: mediatek: paris: Fix pingroup pin config state readback
(git-fixes).
o pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe
(git-fixes).
o pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR() (git-fixes).
o pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE()
(git-fixes).
o pinctrl: pinconf-generic: Print arguments for bias-pull-* (git-fixes).
o pinctrl: samsung: drop pin banks references on error paths (git-fixes).
o pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe
(git-fixes).
o PM: hibernate: fix __setup handler error handling (git-fixes).
o PM: suspend: fix return value of __setup handler (git-fixes).
o powerpc/lib/sstep: Fix 'sthcx' instruction (bsc#1156395).
o powerpc/mm: Fix verification of MMU_FTR_TYPE_44x (bsc#1156395).
o powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties() (bsc
#1179639 ltc#189002 git-fixes).
o powerpc/perf: Do not use perf_hw_context for trace IMC PMU (bsc#1156395).
o powerpc/perf: Expose Performance Monitor Counter SPR's as part of extended
regs (bsc#1198077 ltc#197299).
o powerpc/perf: Include PMCs as part of per-cpu cpuhw_events struct (bsc#
1198077 ltc#197299).
o powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729).
o powerpc/sysdev: fix incorrect use to determine if list is empty (bsc#
1065729).
o powerpc/tm: Fix more userspace r13 corruption (bsc#1065729).
o powerpc/xive: fix return value of __setup handler (bsc#1065729).
o printk: Add panic_in_progress helper (bsc#1197894).
o printk: disable optimistic spin during panic (bsc#1197894).
o pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add()
(git-fixes).
o regulator: qcom_smd: fix for_each_child.cocci warnings (git-fixes).
o remoteproc: qcom_wcnss: Add missing of_node_put() in
wcnss_alloc_memory_region (git-fixes).
o remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region
(git-fixes).
o Revert "build initrd without systemd" (bsc#1197300).
o Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" (bsc#1197243).
o Revert "module, async: async_synchronize_full() on module init iff async is
used" (bsc#1197888).
o Revert "Revert "build initrd without systemd" (bsc#1197300)"
o Revert "usb: dwc3: gadget: Use list_replace_init() before traversing lists"
(git-fixes).
o s390/bpf: Perform r1 range checking before accessing jit->seen_reg
(git-fixes).
o s390/gmap: do not unconditionally call pte_unmap_unlock() in __gmap_zap()
(git-fixes).
o s390/gmap: validate VMA in __gmap_zap() (git-fixes).
o s390/hypfs: include z/VM guests with access control group set (bsc#1195640
LTC#196352).
o s390/kexec_file: fix error handling when applying relocations (git-fixes).
o s390/kexec: fix memory leak of ipl report buffer (git-fixes).
o s390/kexec: fix return code handling (git-fixes).
o s390/mm: fix VMA and page table handling code in storage key handling
functions (git-fixes).
o s390/mm: validate VMA in PGSTE manipulation functions (git-fixes).
o s390/module: fix loading modules with a lot of relocations (git-fixes).
o s390/pci_mmio: fully validate the VMA before calling follow_pte()
(git-fixes).
o s390/tape: fix timer initialization in tape_std_assign() (bsc#1197677 LTC#
197378).
o scsi: lpfc: Copyright updates for 14.2.0.0 patches (bsc#1197675).
o scsi: lpfc: Drop lpfc_no_handler() (bsc#1197675).
o scsi: lpfc: Fix broken SLI4 abort path (bsc#1197675).
o scsi: lpfc: Fix locking for lpfc_sli_iocbq_lookup() (bsc#1197675).
o scsi: lpfc: Fix queue failures when recovering from PCI parity error (bsc#
1197675 bsc#1196478).
o scsi: lpfc: Fix typos in comments (bsc#1197675).
o scsi: lpfc: Fix unload hang after back to back PCI EEH faults (bsc#1197675
bsc#1196478).
o scsi: lpfc: Improve PCI EEH Error and Recovery Handling (bsc#1197675 bsc#
1196478).
o scsi: lpfc: Kill lpfc_bus_reset_handler() (bsc#1197675).
o scsi: lpfc: Reduce log messages seen after firmware download (bsc#1197675).
o scsi: lpfc: Remove failing soft_wwn support (bsc#1197675).
o scsi: lpfc: Remove NVMe support if kernel has NVME_FC disabled (bsc#
1197675).
o scsi: lpfc: Remove redundant flush_workqueue() call (bsc#1197675).
o scsi: lpfc: SLI path split: Introduce lpfc_prep_wqe (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor Abort paths (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor base ELS paths and the FLOGI path (bsc
#1197675).
o scsi: lpfc: SLI path split: Refactor BSG paths (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor CT paths (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor fast and slow paths to native SLI4
(bsc#1197675).
o scsi: lpfc: SLI path split: Refactor FDISC paths (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor lpfc_iocbq (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor LS_ACC paths (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor LS_RJT paths (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor misc ELS paths (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor PLOGI/PRLI/ADISC/LOGO paths (bsc#
1197675).
o scsi: lpfc: SLI path split: Refactor SCSI paths (bsc#1197675).
o scsi: lpfc: SLI path split: Refactor the RSCN/SCR/RDF/EDC/FARPR paths (bsc#
1197675).
o scsi: lpfc: SLI path split: Refactor VMID paths (bsc#1197675).
o scsi: lpfc: Update lpfc version to 14.2.0.0 (bsc#1197675).
o scsi: lpfc: Update lpfc version to 14.2.0.1 (bsc#1197675).
o scsi: lpfc: Use fc_block_rport() (bsc#1197675).
o scsi: lpfc: Use kcalloc() (bsc#1197675).
o scsi: lpfc: Use rport as argument for lpfc_chk_tgt_mapped() (bsc#1197675).
o scsi: lpfc: Use rport as argument for lpfc_send_taskmgmt() (bsc#1197675).
o scsi: qla2xxx: Fix crash during module load unload test (bsc#1197661).
o scsi: qla2xxx: Fix disk failure to rediscover (bsc#1197661).
o scsi: qla2xxx: Fix hang due to session stuck (bsc#1197661).
o scsi: qla2xxx: Fix incorrect reporting of task management failure (bsc#
1197661).
o scsi: qla2xxx: Fix laggy FC remote port session recovery (bsc#1197661).
o scsi: qla2xxx: Fix loss of NVMe namespaces after driver reload test (bsc#
1197661).
o scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests (bsc#1197661).
o scsi: qla2xxx: Fix N2N inconsistent PLOGI (bsc#1197661).
o scsi: qla2xxx: Fix stuck session of PRLI reject (bsc#1197661).
o scsi: qla2xxx: Fix typos in comments (bsc#1197661).
o scsi: qla2xxx: Increase max limit of ql2xnvme_queues (bsc#1197661).
o scsi: qla2xxx: Reduce false trigger to login (bsc#1197661).
o scsi: qla2xxx: Stop using the SCSI pointer (bsc#1197661).
o scsi: qla2xxx: Update version to 10.02.07.400-k (bsc#1197661).
o scsi: qla2xxx: Use correct feature type field during RFF_ID processing (bsc
#1197661).
o scsi: qla2xxx: Use named initializers for port_state_str (bsc#1197661).
o scsi: qla2xxx: Use named initializers for q_dev_state (bsc#1197661).
o serial: 8250_lpss: Balance reference count for PCI DMA device (git-fixes).
o serial: 8250_mid: Balance reference count for PCI DMA device (git-fixes).
o serial: 8250: Fix race condition in RTS-after-send handling (git-fixes).
o serial: core: Fix the definition name in the comment of UPF_* flags
(git-fixes).
o soc: qcom: aoss: remove spurious IRQF_ONESHOT flags (git-fixes).
o soc: qcom: rpmpd: Check for null return of devm_kcalloc (git-fixes).
o soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe (git-fixes).
o soundwire: intel: fix wrong register name in intel_shim_wake (git-fixes).
o spi: pxa2xx-pci: Balance reference count for PCI DMA device (git-fixes).
o spi: tegra114: Add missing IRQ check in tegra_spi_probe (git-fixes).
o staging: gdm724x: fix use after free in gdm_lte_rx() (git-fixes).
o staging:iio:adc:ad7280a: Fix handing of device address bit reversing
(git-fixes).
o tcp: add some entropy in __inet_hash_connect() (bsc#1180153).
o tcp: change source port randomizarion at connect() time (bsc#1180153).
o team: protect features update by RCU to avoid deadlock (git-fixes).
o thermal: int340x: Check for NULL after calling kmemdup() (git-fixes).
o thermal: int340x: Increase bitmap size (git-fixes).
o udp_tunnel: Fix end of loop test in udp_tunnel_nic_unregister()
(git-fixes).
o Update config files (bsc#1195926 bsc#1175667). VIRTIO_PCI=m -> VIRTIO_PCI=y
o usb: bdc: Adb shows offline after resuming from S2 (git-fixes).
o usb: bdc: Fix a resource leak in the error handling path of 'bdc_probe()'
(git-fixes).
o usb: bdc: Fix unused assignment in bdc_probe() (git-fixes).
o usb: bdc: remove duplicated error message (git-fixes).
o usb: bdc: Use devm_clk_get_optional() (git-fixes).
o usb: bdc: use devm_platform_ioremap_resource() to simplify code
(git-fixes).
o usb: dwc2: Fix Stalling a Non-Isochronous OUT EP (git-fixes).
o usb: dwc2: gadget: Fix GOUTNAK flow for Slave mode (git-fixes).
o usb: dwc2: gadget: Fix kill_all_requests race (git-fixes).
o usb: dwc3: gadget: Use list_replace_init() before traversing lists
(git-fixes).
o usb: dwc3: meson-g12a: Disable the regulator in the error handling path of
the probe (git-fixes).
o usb: dwc3: qcom: add IRQ check (git-fixes).
o usb: gadget: bdc: use readl_poll_timeout() to simplify code (git-fixes).
o usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
(git-fixes).
o usb: gadget: rndis: prevent integer overflow in rndis_set_response()
(git-fixes).
o usb: host: xen-hcd: add missing unlock in error path (git-fixes).
o usb: hub: Fix locking issues with address0_mutex (git-fixes).
o usb: usbtmc: Fix bug in pipe direction for control transfers (git-fixes).
o VFS: filename_create(): fix incorrect intent (bsc#1197534).
o video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe()
(git-fixes).
o video: fbdev: controlfb: Fix COMPILE_TEST build (git-fixes).
o video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() (git-fixes).
o video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to
avoid black screen (git-fixes).
o video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to
avoid black screen (git-fixes).
o video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of
(git-fixes).
o video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() (git-fixes).
o VMCI: Fix the description of vmci_check_host_caps() (git-fixes).
o vsprintf: Fix %pK with kptr_restrict == 0 (bsc#1197889).
o wireguard: queueing: use CFI-safe ptr_ring cleanup function (git-fixes).
o wireguard: selftests: rename DEBUG_PI_LIST to DEBUG_PLIST (git-fixes).
o wireguard: socket: free skb in send6 when ipv6 is disabled (git-fixes).
o wireguard: socket: ignore v6 endpoints when ipv6 is disabled (git-fixes).
o x86/cpu: Add hardware-enforced cache coherency as a CPUID feature (bsc#
1178134).
o x86/mm/pat: Do not flush cache if hardware enforces cache coherency across
encryption domnains (bsc#1178134).
o x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT (bsc#
1178134).
o x86/speculation: Warn about Spectre v2 LFENCE mitigation (bsc#1178134).
o xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done()
(bsc#1196488, XSA-396).
o xhci: fix garbage USBSTS being logged in some cases (git-fixes).
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1163=1
o SUSE Linux Enterprise Module for Public Cloud 15-SP3:
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2022-1163=1
Package List:
o openSUSE Leap 15.3 (noarch):
kernel-devel-azure-5.3.18-150300.38.53.1
kernel-source-azure-5.3.18-150300.38.53.1
o openSUSE Leap 15.3 (x86_64):
cluster-md-kmp-azure-5.3.18-150300.38.53.1
cluster-md-kmp-azure-debuginfo-5.3.18-150300.38.53.1
dlm-kmp-azure-5.3.18-150300.38.53.1
dlm-kmp-azure-debuginfo-5.3.18-150300.38.53.1
gfs2-kmp-azure-5.3.18-150300.38.53.1
gfs2-kmp-azure-debuginfo-5.3.18-150300.38.53.1
kernel-azure-5.3.18-150300.38.53.1
kernel-azure-debuginfo-5.3.18-150300.38.53.1
kernel-azure-debugsource-5.3.18-150300.38.53.1
kernel-azure-devel-5.3.18-150300.38.53.1
kernel-azure-devel-debuginfo-5.3.18-150300.38.53.1
kernel-azure-extra-5.3.18-150300.38.53.1
kernel-azure-extra-debuginfo-5.3.18-150300.38.53.1
kernel-azure-livepatch-devel-5.3.18-150300.38.53.1
kernel-azure-optional-5.3.18-150300.38.53.1
kernel-azure-optional-debuginfo-5.3.18-150300.38.53.1
kernel-syms-azure-5.3.18-150300.38.53.1
kselftests-kmp-azure-5.3.18-150300.38.53.1
kselftests-kmp-azure-debuginfo-5.3.18-150300.38.53.1
ocfs2-kmp-azure-5.3.18-150300.38.53.1
ocfs2-kmp-azure-debuginfo-5.3.18-150300.38.53.1
reiserfs-kmp-azure-5.3.18-150300.38.53.1
reiserfs-kmp-azure-debuginfo-5.3.18-150300.38.53.1
o SUSE Linux Enterprise Module for Public Cloud 15-SP3 (noarch):
kernel-devel-azure-5.3.18-150300.38.53.1
kernel-source-azure-5.3.18-150300.38.53.1
o SUSE Linux Enterprise Module for Public Cloud 15-SP3 (x86_64):
kernel-azure-5.3.18-150300.38.53.1
kernel-azure-debuginfo-5.3.18-150300.38.53.1
kernel-azure-debugsource-5.3.18-150300.38.53.1
kernel-azure-devel-5.3.18-150300.38.53.1
kernel-azure-devel-debuginfo-5.3.18-150300.38.53.1
kernel-syms-azure-5.3.18-150300.38.53.1
References:
o https://www.suse.com/security/cve/CVE-2021-39698.html
o https://www.suse.com/security/cve/CVE-2021-45402.html
o https://www.suse.com/security/cve/CVE-2021-45868.html
o https://www.suse.com/security/cve/CVE-2022-0850.html
o https://www.suse.com/security/cve/CVE-2022-0854.html
o https://www.suse.com/security/cve/CVE-2022-1011.html
o https://www.suse.com/security/cve/CVE-2022-1016.html
o https://www.suse.com/security/cve/CVE-2022-1048.html
o https://www.suse.com/security/cve/CVE-2022-1055.html
o https://www.suse.com/security/cve/CVE-2022-1195.html
o https://www.suse.com/security/cve/CVE-2022-1198.html
o https://www.suse.com/security/cve/CVE-2022-1199.html
o https://www.suse.com/security/cve/CVE-2022-1205.html
o https://www.suse.com/security/cve/CVE-2022-23036.html
o https://www.suse.com/security/cve/CVE-2022-23037.html
o https://www.suse.com/security/cve/CVE-2022-23038.html
o https://www.suse.com/security/cve/CVE-2022-23039.html
o https://www.suse.com/security/cve/CVE-2022-23040.html
o https://www.suse.com/security/cve/CVE-2022-23041.html
o https://www.suse.com/security/cve/CVE-2022-23042.html
o https://www.suse.com/security/cve/CVE-2022-27223.html
o https://www.suse.com/security/cve/CVE-2022-27666.html
o https://www.suse.com/security/cve/CVE-2022-28388.html
o https://www.suse.com/security/cve/CVE-2022-28389.html
o https://www.suse.com/security/cve/CVE-2022-28390.html
o https://bugzilla.suse.com/1065729
o https://bugzilla.suse.com/1156395
o https://bugzilla.suse.com/1175667
o https://bugzilla.suse.com/1177028
o https://bugzilla.suse.com/1178134
o https://bugzilla.suse.com/1179639
o https://bugzilla.suse.com/1180153
o https://bugzilla.suse.com/1189562
o https://bugzilla.suse.com/1194589
o https://bugzilla.suse.com/1194625
o https://bugzilla.suse.com/1194649
o https://bugzilla.suse.com/1194943
o https://bugzilla.suse.com/1195051
o https://bugzilla.suse.com/1195353
o https://bugzilla.suse.com/1195640
o https://bugzilla.suse.com/1195926
o https://bugzilla.suse.com/1196018
o https://bugzilla.suse.com/1196130
o https://bugzilla.suse.com/1196196
o https://bugzilla.suse.com/1196478
o https://bugzilla.suse.com/1196488
o https://bugzilla.suse.com/1196761
o https://bugzilla.suse.com/1196823
o https://bugzilla.suse.com/1196956
o https://bugzilla.suse.com/1197227
o https://bugzilla.suse.com/1197243
o https://bugzilla.suse.com/1197245
o https://bugzilla.suse.com/1197300
o https://bugzilla.suse.com/1197302
o https://bugzilla.suse.com/1197331
o https://bugzilla.suse.com/1197343
o https://bugzilla.suse.com/1197366
o https://bugzilla.suse.com/1197389
o https://bugzilla.suse.com/1197460
o https://bugzilla.suse.com/1197462
o https://bugzilla.suse.com/1197501
o https://bugzilla.suse.com/1197534
o https://bugzilla.suse.com/1197661
o https://bugzilla.suse.com/1197675
o https://bugzilla.suse.com/1197677
o https://bugzilla.suse.com/1197702
o https://bugzilla.suse.com/1197811
o https://bugzilla.suse.com/1197812
o https://bugzilla.suse.com/1197815
o https://bugzilla.suse.com/1197817
o https://bugzilla.suse.com/1197819
o https://bugzilla.suse.com/1197820
o https://bugzilla.suse.com/1197888
o https://bugzilla.suse.com/1197889
o https://bugzilla.suse.com/1197894
o https://bugzilla.suse.com/1198027
o https://bugzilla.suse.com/1198028
o https://bugzilla.suse.com/1198029
o https://bugzilla.suse.com/1198030
o https://bugzilla.suse.com/1198031
o https://bugzilla.suse.com/1198032
o https://bugzilla.suse.com/1198033
o https://bugzilla.suse.com/1198077
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYV/ONLKJtyKPYoAQhdeA//UHUB3BwVq7fpaE6Ww+XlmsQVg96oQ5mc
ltuX8ZSmWj9gWHW66QVDOmo4KsRmvwfExdWL7NMLHauBkh+0MSuUjUL7ndxATA1t
44QRypF2KHGANHxj7MH7P3PeVwhfdfkaqhDoFuSiqjs9ylNCBFEfbvOIb+NSZnz+
HP2Fk3oPNvjyTvrxVYSoJuEBBrnfOuczui8VmM0FN/dUCdX5Ul34Qea2nLuE45FF
vY7RGVLX5UAwVErfVbZbcLFuA7hw14ryX5zSwkpiAJKHRhfwFgTRgkTkQEg42Kh4
/cNGdldMGdpQM7XECljw2yNWuTXyBFtbKAU8mKJkIHQizCaqniMW3kYDby23eQmQ
ejeYhRZ+kJTYrnmqrNx/nXFnTY8FtFOID6fmLzQktzXP7n2u/ric9AS5fwbE17/f
85DoAq8gvHi3P/GJwo97ks7U3kw3xIzdB9rjFP7NJQTRWilGk/TtvQfE+ZR3Wa3t
hRCsMxWinGnwfQ2W4Hx1d+SddOjHNf1XV4n73HJv5g5+OjnK5oVD0IKrjpfeq/QP
MIsh4zxaWqC9LARHuaMuBYVnFQHEpMmrlgFp/1M82osHE21c/f32owv4bot+Zzio
LeaRIIE8gzLvoB3HQTaFRvIMepRZCwGuZ/ITZpUcTBnsUXDuk+4I5+xwfB6cNeN2
M30Gr180JQM=
=kkEP
-----END PGP SIGNATURE-----
ESB-2022.1588 - [SUSE] subversion: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1588
Security update for subversion
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: subversion
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24070 CVE-2021-28544
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221161-1
Comment: CVSS (Max): 7.5 CVE-2022-24070 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for subversion
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1161-1
Rating: important
References: #1197939 #1197940
Cross-References: CVE-2021-28544 CVE-2022-24070
Affected Products:
SUSE CaaS Platform 4.0
SUSE Enterprise Storage 6
SUSE Enterprise Storage 7
SUSE Linux Enterprise High Performance Computing 15-ESPOS
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server for SAP 15
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Manager Proxy 4.1
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for subversion fixes the following issues:
o CVE-2022-24070: Fixed a memory corruption issue in mod_dav_svn as used by
Apache HTTP server. This could be exploited by a remote attacker to cause a
denegation of service (bsc#1197940).
o CVE-2021-28544: Fixed an information leak issue where Subversion servers
may reveal the original path of files protected by path-based authorization
(bsc#1197939).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1161=1
o SUSE Manager Retail Branch Server 4.1:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1161=1
o SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1161=1
o SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1161=1
o SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1161=1
o SUSE Linux Enterprise Server for SAP 15:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-1161=1
o SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1161=1
o SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1161=1
o SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1161=1
o SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1161=1
o SUSE Linux Enterprise Server 15-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-2022-1161=1
o SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1161=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1161=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1161=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1161=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1161=1
o SUSE Linux Enterprise High Performance Computing 15-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1161=1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1161=1
o SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1161=1
o SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-1161=1
o SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform 'skuba' tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.
Package List:
o SUSE Manager Server 4.1 (ppc64le s390x x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Manager Server 4.1 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Manager Retail Branch Server 4.1 (x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Manager Retail Branch Server 4.1 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Manager Proxy 4.1 (x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Manager Proxy 4.1 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server for SAP 15 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-SP2-BCL (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-SP1-BCL (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Server 15-LTSS (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise Realtime Extension 15-SP2 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64
x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64
x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64
x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64
x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Enterprise Storage 7 (aarch64 x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Enterprise Storage 7 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE Enterprise Storage 6 (aarch64 x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE Enterprise Storage 6 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
o SUSE CaaS Platform 4.0 (x86_64):
subversion-1.10.6-150000.3.21.1
subversion-debuginfo-1.10.6-150000.3.21.1
subversion-debugsource-1.10.6-150000.3.21.1
subversion-devel-1.10.6-150000.3.21.1
subversion-perl-1.10.6-150000.3.21.1
subversion-perl-debuginfo-1.10.6-150000.3.21.1
subversion-python-1.10.6-150000.3.21.1
subversion-python-debuginfo-1.10.6-150000.3.21.1
subversion-server-1.10.6-150000.3.21.1
subversion-server-debuginfo-1.10.6-150000.3.21.1
subversion-tools-1.10.6-150000.3.21.1
subversion-tools-debuginfo-1.10.6-150000.3.21.1
o SUSE CaaS Platform 4.0 (noarch):
subversion-bash-completion-1.10.6-150000.3.21.1
References:
o https://www.suse.com/security/cve/CVE-2021-28544.html
o https://www.suse.com/security/cve/CVE-2022-24070.html
o https://bugzilla.suse.com/1197939
o https://bugzilla.suse.com/1197940
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYV8+NLKJtyKPYoAQip3w//XJxsPPKAiK9ISttAxWp5Rv+bwrOsjBH7
G1MdECU4SgNvXkrgbgf5aCi1jJrO5rHzF0c7RYaokl8F/h15GaEjQ29D4F0+5qEC
rXxUaZErmvJecTQrTcfeBpmzuuIIeUsM+qYlVn2Fc4D6oo7uos3pO1uWQP2JJBcm
ZsIJyivn18uged22FptMNANTRlw11dGUYUFThjAgUbEV/rkT6K5+AhQuNrWizGsx
CB+fOqSwDQNcK4R+zQJQHCa7pdJJiDtU5qsuIu08FZ1NuarzMKGyAuj7DyPryNDs
J7GmiWw+0akePJhCFRt6y1wdpLH2vYRMJwNWOOcZC+QPmAnwUG9nyu5YtyNC8rbR
M1/0BPxW7SU5MVXno9wY+9fQ3ZvkbW0R6IIDQyfQ2jWon9jBA1hJeNcErD2fy4/u
I7FPxme6FSqHyPOjgSlka3TkW1vgOojC6DElhQWzfGsPXqgQuZCn4wsIZ7nFHfUP
jiPctaoWfjFGcA+HDFA99Q970nXol6NkNZJAlNR9niuuG9+zr0BKplEj3/eBzCrT
Yi84XgidViiEs/Ld0B3v2/lhOIrvzBpBoQ8nVFDMc4ksWnY/rKUOT/ooTt7/pCtH
JiOl+g4S0/Dl+KxWg+GqTw34IMVw6ESVlyLfDQCOlB6praWdUjInmjCuMq1B4bO6
RVCIsoUG+Hw=
=n3yt
-----END PGP SIGNATURE-----
ESB-2022.1587 - [SUSE] subversion: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1587
Security update for subversion
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: subversion
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24070 CVE-2021-28544
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221162-1
Comment: CVSS (Max): 7.5 CVE-2022-24070 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for subversion
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1162-1
Rating: important
References: #1197939 #1197940
Cross-References: CVE-2021-28544 CVE-2022-24070
Affected Products:
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Development Tools 15-SP3
SUSE Linux Enterprise Module for Server Applications 15-SP3
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for subversion fixes the following issues:
o CVE-2022-24070: Fixed a memory corruption issue in mod_dav_svn as used by
Apache HTTP server. This could be exploited by a remote attacker to cause a
denial of service (bsc#1197940).
o CVE-2021-28544: Fixed an information leak issue where Subversion servers
may reveal the original path of files protected by path-based authorization
(bsc#1197939).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1162=1
o openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1162=1
o SUSE Linux Enterprise Module for Server Applications 15-SP3:
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-1162=1
o SUSE Linux Enterprise Module for Development Tools 15-SP3:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1162=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1162=1
Package List:
o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
subversion-python-ctypes-1.10.6-150300.10.8.1
o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
libsvn_auth_gnome_keyring-1-0-1.10.6-150300.10.8.1
libsvn_auth_gnome_keyring-1-0-debuginfo-1.10.6-150300.10.8.1
libsvn_auth_kwallet-1-0-1.10.6-150300.10.8.1
libsvn_auth_kwallet-1-0-debuginfo-1.10.6-150300.10.8.1
subversion-1.10.6-150300.10.8.1
subversion-debuginfo-1.10.6-150300.10.8.1
subversion-debugsource-1.10.6-150300.10.8.1
subversion-devel-1.10.6-150300.10.8.1
subversion-perl-1.10.6-150300.10.8.1
subversion-perl-debuginfo-1.10.6-150300.10.8.1
subversion-python-1.10.6-150300.10.8.1
subversion-python-ctypes-1.10.6-150300.10.8.1
subversion-python-debuginfo-1.10.6-150300.10.8.1
subversion-ruby-1.10.6-150300.10.8.1
subversion-ruby-debuginfo-1.10.6-150300.10.8.1
subversion-server-1.10.6-150300.10.8.1
subversion-server-debuginfo-1.10.6-150300.10.8.1
subversion-tools-1.10.6-150300.10.8.1
subversion-tools-debuginfo-1.10.6-150300.10.8.1
o openSUSE Leap 15.3 (noarch):
subversion-bash-completion-1.10.6-150300.10.8.1
o SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64
ppc64le s390x x86_64):
subversion-debuginfo-1.10.6-150300.10.8.1
subversion-debugsource-1.10.6-150300.10.8.1
subversion-server-1.10.6-150300.10.8.1
subversion-server-debuginfo-1.10.6-150300.10.8.1
o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le
s390x x86_64):
subversion-debuginfo-1.10.6-150300.10.8.1
subversion-debugsource-1.10.6-150300.10.8.1
subversion-perl-1.10.6-150300.10.8.1
subversion-perl-debuginfo-1.10.6-150300.10.8.1
subversion-python-1.10.6-150300.10.8.1
subversion-python-debuginfo-1.10.6-150300.10.8.1
subversion-tools-1.10.6-150300.10.8.1
subversion-tools-debuginfo-1.10.6-150300.10.8.1
o SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch):
subversion-bash-completion-1.10.6-150300.10.8.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
subversion-1.10.6-150300.10.8.1
subversion-debuginfo-1.10.6-150300.10.8.1
subversion-debugsource-1.10.6-150300.10.8.1
subversion-devel-1.10.6-150300.10.8.1
References:
o https://www.suse.com/security/cve/CVE-2021-28544.html
o https://www.suse.com/security/cve/CVE-2022-24070.html
o https://bugzilla.suse.com/1197939
o https://bugzilla.suse.com/1197940
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYV6ONLKJtyKPYoAQgVQxAAjxMoa+Rclu3HWws2wFvfvG/dRNHj8Doq
Ijsqv5E/Z9uM+Y2H1KGxPpqYN26Ky92KyF9qg8BG2bmLdLOtyufEJHUK74xp/zXF
2mXSr3mGi6h3A9KDV55LAEOkj1cLWrQTlH8btazwFoD4EifbuXkFhdmixQg2WTfg
0BZlM6XyjmbdiqtNePef+wxFYcxDjC9MJLOVXju7tGM1gEwyxc11z2pHzYQ9arHy
yRIaxbwfWcLrlJtTZa1ysVrCe2JjCWzJLmi1/k0ZjPhwNkm0Ojrv3St0kL+ySKmy
ucs53Wrh2uf8iNq/mYUgk15fk+FeFfJNU1XL1SsyUypJ+aKJyxlDguBYnZOVURAP
mrZ7S4AgDwuOfHm7huXpjZ+UKj8ldAbm+2OsiWOYGlXLxWrQrLx3ZIlLbIv9nqT2
jscopM1vbgRmDGABTdRFwoVM7Dlev/5Hv4niHb3SEOIIXuM/yOooGbpPKNmVEEQY
0dTBoEBNRZno8qnphur6QtO+GZxrwLFMAA4W/mAUCFUssoEA6Ru3r/DqzRJMJb1w
GxkxtwcLfb0+VjAXrjJJ2TKZc5LL6bnsypSMOmQbiCuCnw4Gtke2flxeANTEC0gl
cpLo2JMg37LbFbVjFTboCt9wTcjtBG9F+ttWHRrMQ/5PRqifWXlgigF9oxrqpnCE
+eEgK2De90w=
=8GS4
-----END PGP SIGNATURE-----
ESB-2022.1586 - [SUSE] qemu: CVSS (Max): 3.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1586
Security update for qemu
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: qemu
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20196 CVE-2021-3930
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221151-1
Comment: CVSS (Max): 3.2 CVE-2021-3930 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for qemu
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1151-1
Rating: moderate
References: #1181361 #1187529 #1192463 #1192525 #1196737
Cross-References: CVE-2021-20196 CVE-2021-3930
Affected Products:
SUSE Linux Enterprise Server 12-SP5
______________________________________________________________________________
An update that solves two vulnerabilities and has three fixes is now available.
Description:
This update for qemu fixes the following issues:
o CVE-2021-20196: Fixed a denial of service in the floppy disk emulator (bsc#
1181361).
o CVE-2021-3930: Fixed a potential denial of service in the emulated SCSI
device (bsc#1192525).
Non-security fixes:
o Fixed a kernel data corruption via a long kernel boot cmdline (bsc#
1196737).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-1151=1
Package List:
o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
qemu-3.1.1.1-63.4
qemu-audio-alsa-3.1.1.1-63.4
qemu-audio-alsa-debuginfo-3.1.1.1-63.4
qemu-audio-oss-3.1.1.1-63.4
qemu-audio-oss-debuginfo-3.1.1.1-63.4
qemu-audio-pa-3.1.1.1-63.4
qemu-audio-pa-debuginfo-3.1.1.1-63.4
qemu-audio-sdl-3.1.1.1-63.4
qemu-audio-sdl-debuginfo-3.1.1.1-63.4
qemu-block-curl-3.1.1.1-63.4
qemu-block-curl-debuginfo-3.1.1.1-63.4
qemu-block-iscsi-3.1.1.1-63.4
qemu-block-iscsi-debuginfo-3.1.1.1-63.4
qemu-block-ssh-3.1.1.1-63.4
qemu-block-ssh-debuginfo-3.1.1.1-63.4
qemu-debugsource-3.1.1.1-63.4
qemu-guest-agent-3.1.1.1-63.4
qemu-guest-agent-debuginfo-3.1.1.1-63.4
qemu-lang-3.1.1.1-63.4
qemu-tools-3.1.1.1-63.4
qemu-tools-debuginfo-3.1.1.1-63.4
qemu-ui-curses-3.1.1.1-63.4
qemu-ui-curses-debuginfo-3.1.1.1-63.4
qemu-ui-gtk-3.1.1.1-63.4
qemu-ui-gtk-debuginfo-3.1.1.1-63.4
qemu-ui-sdl-3.1.1.1-63.4
qemu-ui-sdl-debuginfo-3.1.1.1-63.4
o SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64):
qemu-block-rbd-3.1.1.1-63.4
qemu-block-rbd-debuginfo-3.1.1.1-63.4
o SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):
qemu-kvm-3.1.1.1-63.4
o SUSE Linux Enterprise Server 12-SP5 (aarch64):
qemu-arm-3.1.1.1-63.4
qemu-arm-debuginfo-3.1.1.1-63.4
o SUSE Linux Enterprise Server 12-SP5 (ppc64le):
qemu-ppc-3.1.1.1-63.4
qemu-ppc-debuginfo-3.1.1.1-63.4
o SUSE Linux Enterprise Server 12-SP5 (noarch):
qemu-ipxe-1.0.0+-63.4
qemu-seabios-1.12.0_0_ga698c89-63.4
qemu-sgabios-8-63.4
qemu-vgabios-1.12.0_0_ga698c89-63.4
o SUSE Linux Enterprise Server 12-SP5 (x86_64):
qemu-x86-3.1.1.1-63.4
o SUSE Linux Enterprise Server 12-SP5 (s390x):
qemu-s390-3.1.1.1-63.4
qemu-s390-debuginfo-3.1.1.1-63.4
References:
o https://www.suse.com/security/cve/CVE-2021-20196.html
o https://www.suse.com/security/cve/CVE-2021-3930.html
o https://bugzilla.suse.com/1181361
o https://bugzilla.suse.com/1187529
o https://bugzilla.suse.com/1192463
o https://bugzilla.suse.com/1192525
o https://bugzilla.suse.com/1196737
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYV3ONLKJtyKPYoAQhYOA//dPNDEjc/fhqv+RzFjghf7GO5HMMBdQHZ
Ym40E8cCswNxUobBK24Ex4C8hmG2B+ah/SxhLhB3fiO/ETPx4ypycs7Ug723iHhL
OBoktZODtbqZJu0pA/gUvASzMVWqOh6KrFH07eGLtzITD/5U9JmflP7bW3GGZ4AD
WJusxp1ZDmbW3SH+MxrYE/gA0TQOhwSo1vURNfdFSdCOzbqlSrL6ZGRuR0UM8SvL
7jx1+PSftg/NMYRL2o/CAZmAsMZfCFRCAZPmpE8DYMSybmLLSqecaLA3lhY5TpQa
p/mRVpO1tNXOwVskaKkL+yTtVbFMkuS5g5SIbXn86ip3576u5pxLBvWJ6cy2HjSZ
EYqWqe158i7sBGul2eNyjfpi9lSBWTvANFeYJXypO6ZoYJAoWrW6raTvTenL7uc2
GO/hgfa1JUsVoQ/gp8AiissOAVDPrdNMskKQVixFRSwLHjuXeZZidCATmXIjKt0y
sBjlfiV1bqHItf+KG54jcKku2S5JXPeHMdT6CWO5odnXUbGPuOqoKBGqs/LGN9oq
RTCtqLQ8tvUA+Aa7ZdIGPPUkqnpBxYq+FMmVcdLlO5GV3y72Kmhwm9438h3UvwcG
6Fya0659nvzVOnCBXMKG+Os+j6mpusIypb3e75h2x12Z1jHDI8Jdf7CKXNfWY2lD
WzjUEkIqJ/Q=
=C1sR
-----END PGP SIGNATURE-----