AusCERT - Security Bulletins

Subscribe to AusCERT - Security Bulletins hírcsatorna
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 36 perc 51 másodperc
2022. április 13.

ASB-2022.0085 - ALERT [Win] Microsoft Windows products: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0085 Microsoft Patch Tuesday update for Microsoft Windows for April 2022 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: HEVC Video Extensions Windows 10, 11, 8.1 and RT 8.1 Windows Server Windows Upgrade Assistant Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-26920 CVE-2022-26919 CVE-2022-26918 CVE-2022-26917 CVE-2022-26916 CVE-2022-26915 CVE-2022-26914 CVE-2022-26904 CVE-2022-26903 CVE-2022-26831 CVE-2022-26830 CVE-2022-26829 CVE-2022-26828 CVE-2022-26827 CVE-2022-26826 CVE-2022-26825 CVE-2022-26824 CVE-2022-26823 CVE-2022-26822 CVE-2022-26821 CVE-2022-26820 CVE-2022-26819 CVE-2022-26818 CVE-2022-26817 CVE-2022-26816 CVE-2022-26815 CVE-2022-26814 CVE-2022-26813 CVE-2022-26812 CVE-2022-26811 CVE-2022-26810 CVE-2022-26809 CVE-2022-26808 CVE-2022-26807 CVE-2022-26803 CVE-2022-26802 CVE-2022-26801 CVE-2022-26798 CVE-2022-26797 CVE-2022-26796 CVE-2022-26795 CVE-2022-26794 CVE-2022-26793 CVE-2022-26792 CVE-2022-26791 CVE-2022-26790 CVE-2022-26789 CVE-2022-26788 CVE-2022-26787 CVE-2022-26786 CVE-2022-26785 CVE-2022-26784 CVE-2022-26783 CVE-2022-24550 CVE-2022-24549 CVE-2022-24547 CVE-2022-24546 CVE-2022-24545 CVE-2022-24544 CVE-2022-24543 CVE-2022-24542 CVE-2022-24541 CVE-2022-24540 CVE-2022-24539 CVE-2022-24538 CVE-2022-24537 CVE-2022-24536 CVE-2022-24534 CVE-2022-24533 CVE-2022-24532 CVE-2022-24530 CVE-2022-24528 CVE-2022-24527 CVE-2022-24521 CVE-2022-24500 CVE-2022-24499 CVE-2022-24498 CVE-2022-24496 CVE-2022-24495 CVE-2022-24494 CVE-2022-24493 CVE-2022-24492 CVE-2022-24491 CVE-2022-24490 CVE-2022-24489 CVE-2022-24488 CVE-2022-24487 CVE-2022-24486 CVE-2022-24485 CVE-2022-24484 CVE-2022-24483 CVE-2022-24481 CVE-2022-24479 CVE-2022-24474 CVE-2022-23268 CVE-2022-23257 CVE-2022-22009 CVE-2022-22008 CVE-2022-21983 Comment: CVSS (Max): 9.8 CVE-2022-26809 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C OVERVIEW Microsoft has released its monthly security patch update for the month of April 2022. This update resolves 99 vulnerabilities across the following products: [1] HEVC Video Extension HEVC Video Extensions Windows 10 Windows 11 Windows 8.1 Windows RT 8.1 Windows Server Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Upgrade Assistant IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2022-21983 Remote Code Execution Important CVE-2022-22008 Remote Code Execution Critical CVE-2022-22009 Remote Code Execution Important CVE-2022-23257 Remote Code Execution Critical CVE-2022-23268 Denial of Service Important CVE-2022-24474 Elevation of Privilege Important CVE-2022-24479 Elevation of Privilege Important CVE-2022-24481 Elevation of Privilege Important CVE-2022-24483 Information Disclosure Important CVE-2022-24484 Denial of Service Important CVE-2022-24485 Remote Code Execution Important CVE-2022-24486 Elevation of Privilege Important CVE-2022-24487 Remote Code Execution Important CVE-2022-24488 Elevation of Privilege Important CVE-2022-24489 Elevation of Privilege Important CVE-2022-24490 Information Disclosure Important CVE-2022-24491 Remote Code Execution Critical CVE-2022-24492 Remote Code Execution Important CVE-2022-24493 Information Disclosure Important CVE-2022-24494 Elevation of Privilege Important CVE-2022-24495 Remote Code Execution Important CVE-2022-24496 Elevation of Privilege Important CVE-2022-24498 Information Disclosure Important CVE-2022-24499 Elevation of Privilege Important CVE-2022-24500 Remote Code Execution Critical CVE-2022-24521 Elevation of Privilege Important CVE-2022-24527 Elevation of Privilege Important CVE-2022-24528 Remote Code Execution Important CVE-2022-24530 Elevation of Privilege Important CVE-2022-24532 Remote Code Execution Important CVE-2022-24533 Remote Code Execution Important CVE-2022-24534 Remote Code Execution Important CVE-2022-24536 Remote Code Execution Important CVE-2022-24537 Remote Code Execution Critical CVE-2022-24538 Denial of Service Important CVE-2022-24539 Information Disclosure Important CVE-2022-24540 Elevation of Privilege Important CVE-2022-24541 Remote Code Execution Critical CVE-2022-24542 Elevation of Privilege Important CVE-2022-24543 Remote Code Execution Important CVE-2022-24544 Elevation of Privilege Important CVE-2022-24545 Remote Code Execution Important CVE-2022-24546 Elevation of Privilege Important CVE-2022-24547 Elevation of Privilege Important CVE-2022-24549 Elevation of Privilege Important CVE-2022-24550 Elevation of Privilege Important CVE-2022-26783 Information Disclosure Important CVE-2022-26784 Denial of Service Important CVE-2022-26785 Information Disclosure Important CVE-2022-26786 Elevation of Privilege Important CVE-2022-26787 Elevation of Privilege Important CVE-2022-26788 Elevation of Privilege Important CVE-2022-26789 Elevation of Privilege Important CVE-2022-26790 Elevation of Privilege Important CVE-2022-26791 Elevation of Privilege Important CVE-2022-26792 Elevation of Privilege Important CVE-2022-26793 Elevation of Privilege Important CVE-2022-26794 Elevation of Privilege Important CVE-2022-26795 Elevation of Privilege Important CVE-2022-26796 Elevation of Privilege Important CVE-2022-26797 Elevation of Privilege Important CVE-2022-26798 Elevation of Privilege Important CVE-2022-26801 Elevation of Privilege Important CVE-2022-26802 Elevation of Privilege Important CVE-2022-26803 Elevation of Privilege Important CVE-2022-26807 Elevation of Privilege Important CVE-2022-26808 Elevation of Privilege Important CVE-2022-26809 Remote Code Execution Critical CVE-2022-26810 Elevation of Privilege Important CVE-2022-26811 Remote Code Execution Important CVE-2022-26812 Remote Code Execution Important CVE-2022-26813 Remote Code Execution Important CVE-2022-26814 Remote Code Execution Important CVE-2022-26815 Remote Code Execution Important CVE-2022-26816 Information Disclosure Important CVE-2022-26817 Remote Code Execution Important CVE-2022-26818 Remote Code Execution Important CVE-2022-26819 Remote Code Execution Important CVE-2022-26820 Remote Code Execution Important CVE-2022-26821 Remote Code Execution Important CVE-2022-26822 Remote Code Execution Important CVE-2022-26823 Remote Code Execution Important CVE-2022-26824 Remote Code Execution Important CVE-2022-26825 Remote Code Execution Important CVE-2022-26826 Remote Code Execution Important CVE-2022-26827 Elevation of Privilege Important CVE-2022-26828 Elevation of Privilege Important CVE-2022-26829 Remote Code Execution Important CVE-2022-26830 Remote Code Execution Important CVE-2022-26831 Denial of Service Important CVE-2022-26903 Remote Code Execution Important CVE-2022-26904 Elevation of Privilege Important CVE-2022-26914 Elevation of Privilege Important CVE-2022-26915 Denial of Service Important CVE-2022-26916 Remote Code Execution Important CVE-2022-26917 Remote Code Execution Important CVE-2022-26918 Remote Code Execution Important CVE-2022-26919 Remote Code Execution Critical CVE-2022-26920 Information Disclosure Important MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1]. KB5012591, KB5012592, KB5012596, KB5012599, KB5012604 KB5012639, KB5012647, KB5012650, KB5012653, KB5012666 KB5012670 REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYno+NLKJtyKPYoAQi9uRAAmfOZNlODRV2489+BxHGdyytkuyIfKx+S cizoe5YodcPhasmT6dQpZ91ZPNhHsuxw4Xl4eU9K+nhcoFW49BOc5tKaX4X4UNtE PMQQvbDZfaBSwvkTa6UaGNFQIxTGu73IIFV0/Klk1HCv9RtTpFAln0aEwgNwgc0U CKJ2iTkESSfvZED9/JQfzQiuG7CRY+6deUZKHXZJeJJcyqR+rCkbr1DFDwMVtA+M TtMMgFyhBDwYCaEjjkriPyisluv33YvdWIBwHzc1j0a2mf5pKFRA/gK1iP3xJ5lm CAzzMrV7TDJ5wl05K4ifbAR955gL7YlpwS2oImgJbpkzVUxdDGcbGpN7+F2GKLm/ KrLkz3tvPRCzSemBLaeqkTeWho8VY4EItiy9EKFbyc9U9/vcDAoJsbKmeAk3IKjB ZSMDs5o3TmOi5AGG8ZbQnP97OicQYAjDR7peIlwW/93yPx7FV2yvjkzUVYIlDtZI CZj+8lJzupbehvc+fm6e8x3RR8BNoD8w0L/xLpPWeED55XoAhm1y+dALv8+ZYbTi uQbicHPbnDPqPnWdu+yfeohUR3GtA0InOvn2U/dsIuuyu9Nz2+x6haBqIz61Tm+f kI1FB06GVEVectu3oGYAaRNquYzVp0iE3Ui8uNyxiAtdO9uZOMG1TNNA/uQ9NSDU LRvAI/QphyI= =QoD4 -----END PGP SIGNATURE-----
2022. április 13.

ASB-2022.0084 - [Win] Microsoft Malware Protection Engine: CVSS (Max): 5.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0084 Microsoft Patch Tuesday update for Microsoft System Center for April 2022 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Malware Protection Engine Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-24548 Comment: CVSS (Max): 5.5 CVE-2022-24548 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C OVERVIEW Microsoft has released its monthly security patch update for the month of April 2022. This update resolves 1 vulnerabilities across the following products: [1] Microsoft Malware Protection Engine IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2022-24548 Denial of Service Important MITIGATION Microsoft recommends updating the software to the latest available version available on the Microsoft Update Catalog. [1]. REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYnmuNLKJtyKPYoAQg2VA//fEN/aYNWR48OSIsXqy9Am/L03HqMBLDg QJ6Z79FjjKap1rnU5gXDEzWYRUYtxiK+77rjuG8cMnzGeXIapHBOafDe4if6IGQE PfR2S1Q54Nj1KtA9vmUNQHkK4/Q+07w6ING1OqayKgcOgs/Mx7mSsQoPE77qKrUI RP7JaABIbq+NU0SK6WCeS9AMrEV9eex8U5vZaINFXBU20lvw4hXiGloCZeC7u9N0 jKetJVx7KC0+/0ohBNTmJe6T1cIiCNYcbjaTMKdTbUEdgiUOoCpxhltzlBhGIb6/ 2apcdFLBJF2FQVskVHDEISdsKkcGWdxe6TLzw76MhE3tkb64faG7EtF5N5vyRqRb 4aS9gf+Ef718LAa4q/+8oGp6fYcumApyUB7vlj4K4Bg8yRk//oJ+fBmzRo9q+SoY VGnYUgnwQlyTaLCqm79gf8MFEY82JpKuBnbsQoQBMhfOwCyIMtKbOm4VaXkVL+Xs GvZOQvvEIRu/luZLj1hHXWVC8LOySGhLI3tEPlsLyh0qP53sA8gcHGisc6c6bnoO KKMz0Q7tsZ5j/x/2pwzrr8SWcK4cF7Fx8UlUoxJXzr0Iw9TdzZgbf0Q68hV4TCJL jRQas4/TO9TIzCO980vHWozFz8GJls0hfifjoKO5mAbFTfqdyflltie/HTrddVec 7gXgWIJAtgw= =nPGl -----END PGP SIGNATURE-----
2022. április 13.

ASB-2022.0083 - [Win] Microsoft On-Premises Data Gateway: CVSS (Max): 5.9

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0083 Microsoft Patch Tuesday update for Microsoft SQL Server for April 2022 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft On-Premises Data Gateway Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-23292 Comment: CVSS (Max): 5.9 CVE-2022-23292 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C OVERVIEW Microsoft has released its monthly security patch update for the month of April 2022. This update resolves 1 vulnerabilities across the following products: [1] Microsoft On-Premises Data Gateway IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2022-23292 Spoofing Important MITIGATION Microsoft recommends updating the software to the latest available version available on the Microsoft Update Catalog. [1]. REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYniuNLKJtyKPYoAQh+hg/+PH4MYXrkeIVWwB9ZAsNZ9N9fX6pRsYoc hQkyS/T311mt/9BX7fswGYtXZfZAB1ANQ9xeUk7J4IDhQ2DTtZQbK/jdrpbu3TDs bktLjMoCJujZ/iWZ7f52Br1OH+b/hvMFbFRUdRgLgfPWt5ANqSSTLj3NB3QAY+Rr tYOZKLRx4UqGg2C/C9IyPMIhiJGbMS6v9Edy/0ISxTVtjsUX+W2ZftJAV6mA9SrS mCdPJNCw/EwHofQxBjPltXgJSTpGIfhlpRW5/6yZTEoRAsZY/c1oOkfQ+4Q5UAk5 WcNI0vz1mg9sFijnN+bQERfAI4X8wmpR06wnMS2yBZ6y3oCBd2/H2WFmwYQnHZVQ betaZPJRgF1nEKcyJw2pims5BjpRCC2QS+xJvoGHpdqihhox8LKm4u09bfJI6UGP WutQ7YQyakGGenYWJyJtmSfXgc5z+5rNsck+B7PzDcV8nX+DMLBsBGbB13+mx57v LuALH2d6/Z+AV/j5A7/kO6VlkLi6HId55VZxg9V3IKWGHkY7wsdca/tPIjGdbNdY FRJRsT7VsEkSNNc0WhKlqt4UEXKBAejJNqoqRQAAk9V9huCaswsUkxUwMDxtpruP JI8dAmPq73GnqnwYlzgwEtJajA5aFXVHbhL91HWWQ9xDlIdKe11IRsAiQy7QyXcj V3bq3iUwtdA= =jiDU -----END PGP SIGNATURE-----
2022. április 13.

ASB-2022.0082 - [Win] Microsoft Office, Office Services and Web Apps: CVSS (Max): 8.0

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0082 Microsoft Patch Tuesday update for Microsoft Office, Office Services and Web Apps for April 2022 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: 365 Apps for Enterprise Microsoft Excel Microsoft Lync Server 2013 CU10 Microsoft Office Microsoft SharePoint Skype for Business Server Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-26911 CVE-2022-26910 CVE-2022-26901 CVE-2022-24473 CVE-2022-24472 Comment: CVSS (Max): 8.0 CVE-2022-24472 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C OVERVIEW Microsoft has released its monthly security patch update for the month of April 2022. This update resolves 5 vulnerabilities across the following products: [1] Microsoft 365 Apps for Enterprise for 32-bit Systems Microsoft 365 Apps for Enterprise for 64-bit Systems Microsoft Excel 2013 RT Service Pack 1 Microsoft Excel 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions) Microsoft Excel 2016 (32-bit edition) Microsoft Excel 2016 (64-bit edition) Microsoft Lync Server 2013 CU10 Microsoft Office 2013 RT Service Pack 1 Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) Microsoft Office 2019 for 32-bit editions Microsoft Office 2019 for 64-bit editions Microsoft Office 2019 for Mac Microsoft Office LTSC 2021 for 32-bit editions Microsoft Office LTSC 2021 for 64-bit editions Microsoft Office LTSC for Mac 2021 Microsoft Office Online Server Microsoft Office Web Apps Server 2013 Service Pack 1 Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Server 2016 Microsoft SharePoint Server 2019 Microsoft SharePoint Server Subscription Edition Skype for Business Server 2015 CU12 Skype for Business Server 2019 CU6 IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2022-24472 Spoofing Important CVE-2022-24473 Remote Code Execution Important CVE-2022-26901 Remote Code Execution Important CVE-2022-26910 Spoofing Important CVE-2022-26911 Information Disclosure Important MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1]. KB5002143, KB5002148, KB5002162, KB5002169, KB5002175 KB5002177, KB5002180, KB5002183, KB5002189, KB5002191 KB5012681, KB5012686 REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYngONLKJtyKPYoAQjfTQ/7BYRi/zVvdzvM0a3NgKrn8o1HlkgDOifT CSfpC54piKFLQPuggbyN7EaygtDa6votF0Wm26vDXf3sBGQNZshu2vV+ttTcy75g ECLUvzRykXQfCWpXWY81m/ERsqcxUIdyNYKc8g7D+qjZSSadwWBEqgXqPM2Q4xhM 3Mui6EwRmohjgPja8GW0d8DP2gaZ6jnHtQhpx8tvlNs7dSqHzn+xd+sEqOrDKqAD bSqwpyhYJFv2jXbND26byMjVbHlmjliaOjjkl+dgllIZI32fYovnIBLbt9bBptZo 9D2+vMnlk0lRx2iKC79nvb5WJgjNJFunfratJJ8mOJIxSlwQPG4aQ2YRBDmNgZu+ hoPDkCWCP/myrEdIZyomZihjuvkNtBj95+enHKDmIMEQ+YvfYCSORN4yFlUPGFm5 swENg2RY5lWl5tXHYHJMZC5t/YXtF/AopDhR7PtuByWkU7DkpK271nLdSbShsiZD e5ATn+A0l9IlO05qBPots0Tn9fIXonUwPhQMBRMZEPNr8Hj3CESV7eeJBd6rV+PU CEOI6V0lDCVHxNHE2SIx0kTpaC0nqhJY4WDWPrNykyqTWJ71/HKj4FcmxkvY8Cw0 qzztpHDVmNvWWByG6iJMtWD5jGTQumbOozXQslLDBlmnALInxObC3WtiVcOoTKTA FYorGF2eFw0= =LLVM -----END PGP SIGNATURE-----
2022. április 13.

ASB-2022.0081 - ALERT [Win] Microsoft Dynamics 365 (on-premises): CVSS (Max): 8.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0081 Microsoft Patch Tuesday update for Microsoft Dynamics for April 2022 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Dynamics 365 (on-premises) Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-23259 Comment: CVSS (Max): 8.8 CVE-2022-23259 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C OVERVIEW Microsoft has released its monthly security patch update for the month of April 2022. This update resolves 1 vulnerabilities across the following products: [1] Microsoft Dynamics 365 (on-premises) version 9.0 Microsoft Dynamics 365 (on-premises) version 9.1 IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2022-23259 Remote Code Execution Critical MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1]. KB5012731, KB5012732 REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYnaONLKJtyKPYoAQifkQ/+Kd4DQZMCRRvG77V7fq7RdAsTmhewKXf3 5VyhXkWXbWv1P0X5sjXFSeWjJSFs3A4X+wyMgq4THgZNSTxBbYES9tyoaJV9HJk5 LkEeACJBo4bgu+jkk0fZFiwGsW98mtV9MKK/oiSyRj768Awr2Rm3Qsx4FMWGsSJi PN7H8T2vM5COy+VUjg2DcimiJ2d++J7OgXINRDA8RVBRPNP6k9Blx7gQsNUEwflC RfL92jYsUIDN+u33OZj5+/QT06nEDbZgTWCH7d5xsneg1+HAkfMDc4TWpEjF/0jc JswF3eBxu6rbiB0MZpVYBU9ZoOXTWJHHTqAhWJXYL041whB7eTawaAq7v4FalgDo pLSV4r1AzZ1ZWubvgIz3WhkUGqSMF2tyq+YnwzUxCdcqbBj7f2xwvGi/cksFncGb +LvZMN5A597j9WQP1/k2SUX9TfMi06BwqkgNH12Vi5+G9qJZBXr7wKTF0Rn6pn4q T+R4DD9cF4Q1DrVuraM1wppRG0RFuceDoUhBtFBMLFzGTdnqqg7cNlJTClZ+qcoG c7Qltc5MdceZTf9oU1FW8Q8YEY5Trf/8sk6X7u+qLhVonvtnEzqZMlozX7i+LmsE 6l9CfnOjAvayUbIVL3l2NZMDpCYv8ZpZqAI4z8xK/Fz4F31B73CAXS2liEH79pTF mXBy9nQtJ9o= =thr/ -----END PGP SIGNATURE-----
2022. április 13.

ASB-2022.0080 - ALERT [Win] Windows 7 and Server 2008: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0080 Microsoft Patch Tuesday update for Microsoft Extended Security Update Products for April 2022 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Windows 7 Windows Server 2008 Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-26919 CVE-2022-26918 CVE-2022-26917 CVE-2022-26916 CVE-2022-26915 CVE-2022-26904 CVE-2022-26903 CVE-2022-26831 CVE-2022-26829 CVE-2022-26827 CVE-2022-26822 CVE-2022-26821 CVE-2022-26820 CVE-2022-26819 CVE-2022-26815 CVE-2022-26813 CVE-2022-26812 CVE-2022-26810 CVE-2022-26809 CVE-2022-26807 CVE-2022-26803 CVE-2022-26802 CVE-2022-26801 CVE-2022-26798 CVE-2022-26797 CVE-2022-26796 CVE-2022-26794 CVE-2022-26792 CVE-2022-26790 CVE-2022-26787 CVE-2022-24544 CVE-2022-24542 CVE-2022-24541 CVE-2022-24540 CVE-2022-24536 CVE-2022-24534 CVE-2022-24533 CVE-2022-24530 CVE-2022-24528 CVE-2022-24527 CVE-2022-24521 CVE-2022-24500 CVE-2022-24499 CVE-2022-24498 CVE-2022-24494 CVE-2022-24493 CVE-2022-24492 CVE-2022-24485 CVE-2022-24481 CVE-2022-24474 CVE-2022-21983 Comment: CVSS (Max): 9.8 CVE-2022-26809 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C OVERVIEW Microsoft has released its monthly security patch update for the month of April 2022. This update resolves 51 vulnerabilities across the following products: [1] Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2022-21983 Remote Code Execution Important CVE-2022-24474 Elevation of Privilege Important CVE-2022-24481 Elevation of Privilege Important CVE-2022-24485 Remote Code Execution Important CVE-2022-24492 Remote Code Execution Important CVE-2022-24493 Information Disclosure Important CVE-2022-24494 Elevation of Privilege Important CVE-2022-24498 Information Disclosure Important CVE-2022-24499 Elevation of Privilege Important CVE-2022-24500 Remote Code Execution Critical CVE-2022-24521 Elevation of Privilege Important CVE-2022-24527 Elevation of Privilege Important CVE-2022-24528 Remote Code Execution Important CVE-2022-24530 Elevation of Privilege Important CVE-2022-24533 Remote Code Execution Important CVE-2022-24534 Remote Code Execution Important CVE-2022-24536 Remote Code Execution Important CVE-2022-24540 Elevation of Privilege Important CVE-2022-24541 Remote Code Execution Critical CVE-2022-24542 Elevation of Privilege Important CVE-2022-24544 Elevation of Privilege Important CVE-2022-26787 Elevation of Privilege Important CVE-2022-26790 Elevation of Privilege Important CVE-2022-26792 Elevation of Privilege Important CVE-2022-26794 Elevation of Privilege Important CVE-2022-26796 Elevation of Privilege Important CVE-2022-26797 Elevation of Privilege Important CVE-2022-26798 Elevation of Privilege Important CVE-2022-26801 Elevation of Privilege Important CVE-2022-26802 Elevation of Privilege Important CVE-2022-26803 Elevation of Privilege Important CVE-2022-26807 Elevation of Privilege Important CVE-2022-26809 Remote Code Execution Critical CVE-2022-26810 Elevation of Privilege Important CVE-2022-26812 Remote Code Execution Important CVE-2022-26813 Remote Code Execution Important CVE-2022-26815 Remote Code Execution Important CVE-2022-26819 Remote Code Execution Important CVE-2022-26820 Remote Code Execution Important CVE-2022-26821 Remote Code Execution Important CVE-2022-26822 Remote Code Execution Important CVE-2022-26827 Elevation of Privilege Important CVE-2022-26829 Remote Code Execution Important CVE-2022-26831 Denial of Service Important CVE-2022-26903 Remote Code Execution Important CVE-2022-26904 Elevation of Privilege Important CVE-2022-26915 Denial of Service Important CVE-2022-26916 Remote Code Execution Important CVE-2022-26917 Remote Code Execution Important CVE-2022-26918 Remote Code Execution Important CVE-2022-26919 Remote Code Execution Critical MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1]. KB5011529, KB5011552, KB5012626, KB5012632, KB5012649 KB5012658 REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYm5ONLKJtyKPYoAQiBbw/8D/JUK5Y6xzUw2hzx+pF4eQlzpAu2S0lw 9KGgz3FvTXUO0COn3Pu31LVL+H8kEJnky3OmiEgPk3/tVP/lkCJu0MjbS+CBa2en Y8Y66rA2jnwMNkg+VpqChpZifIJ478LB1II7D2aUmdGWiFb+xAyGsBN7LAwDHpRr 8FX2ZDmaKdLkYfpRTWwlqUNXuKOXR0APzfxio21yQK7hJVhmNxHUbxoHgK2ZPhMi P2Tu/nS8jnNI0Nsu9zJR1m9kvGv0kq2D9M1WuaFLZOnj1KZ4DWZThsSGbDvnjFp7 gK6XQBYEPHRk1nqP0sUoJ0MD8GQUgwSlsZMo4Zaq6XPH5qGPBinLn1QeXhqv0zXp tBxnNB0KDd8PNgmcGXgxBnf6iicFvNsy6vmscxXNNkpcl3aMko2Th+wrUTOJmlcw FVvn0bWAEmM0LI6kbDIVDO2jMz97AQvOVKbX8tbx2gizoNAaWJm/QYqoKA5Q6DdL aCkn9E7o3IwjLcILt6Cbg+mCcuhCQQ9ojscrfZrIBIM1YEU/CBt2YnIB7aKjasKP /8tiRd4zZnIfRYQeV/1l+7/ZAXWkOsX6MLdPkMX9J3OnMdBaOPA0TvAbIdjB5yXR Kw5eQX6tSW1C0BBMYNXxDSPnoo6PZQ/3BoXTJBMc8YLTOp1w4g1DUD1lnEBs7016 rU2IM51QsOY= =0GUj -----END PGP SIGNATURE-----
2022. április 13.

ASB-2022.0079 - [Win][Mac] Developer Tools: CVSS (Max): 7.8*

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0079 Microsoft Patch Tuesday update for Microsoft Developer Tools for April 2022 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft .NET Framework Microsoft Visual Studio YARP Operating System: Windows macOS Resolution: Patch/Upgrade CVE Names: CVE-2022-26924 CVE-2022-26921 CVE-2022-26832 CVE-2022-24767 CVE-2022-24765 CVE-2022-24513 Comment: CVSS (Max): 7.8* CVE-2022-24513 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C OVERVIEW Microsoft has released its monthly security patch update for the month of April 2022. This update resolves 6 vulnerabilities across the following products: [1] Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5 AND 4.7.2 Microsoft .NET Framework 3.5 AND 4.8 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Microsoft .NET Framework 4.8 Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8) Microsoft Visual Studio 2022 version 17.0 Microsoft Visual Studio 2022 version 17.1 Visual Studio 2019 for Mac version 8.10 Visual Studio Code YARP 1.0 YARP 1.1RC IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2022-24513 Elevation of Privilege Important CVE-2022-24765 Elevation of Privilege Important CVE-2022-24767 Elevation of Privilege Important CVE-2022-26832 Denial of Service Important CVE-2022-26921 Elevation of Privilege Important CVE-2022-26924 Denial of Service Important MITIGATION Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1]. KB5012117, KB5012118, KB5012120, KB5012121, KB5012123 KB5012324, KB5012325, KB5012326, KB5012327, KB5012328 KB5012329, KB5012330, KB5012331, KB5012332 REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYm3ONLKJtyKPYoAQgunBAAqxPq6Hgw4pD9MynINYMe3d9B3oCVb7Ud lA+xYEZQF0d1fNxilcm6ytbQwMchb7t3dA7W0BgWAQ/Wa3c7DEDUwuFiS8OrCipc eFp2VLPX/pW5EZbyBJtnGYN118cio/rW6Ra6k7VzaBxjBABF1Cm/GitkfKh3x1Ax aoeAnZy2Fzg00uiHblZ9LSByWMmcj5LBC3fd4YYKaVUeaRyiV21ZTCFS29kGLmeG MOpnT3IaWzXykPX8uy9T8TudOCWk0NzyJvgb3muZgnPXDbeCWGVOAixrX6BcF4x8 Al6M+hLRoenPbK7oF1HOPvg3ATqqt/uUDkYY+eMxEApsXVOnwoZC5klYfBTjv5wn NhkpsJ3lXg7Zj/bhGsNywAdlijh7fZPzlKQUeyE0XA+TwAnzurmPkhZL8HwObAqH OPu+63Wr/Om/m/mz7Ek6uXAswkx2qSdplG6wmv68Z7LmVIMNVjuebOywW9cZ8J/i tl0t0lyYUmdmWn12G1EH5TwkK9V6iirUKc1oUpo3vV1e3mnOqn1YXtnZF0kMIvNb QH2j+aZ/SSgjT0vA+Wpd/VnIEsI5nlF1SemJAL+UNW3D5uud16h0zCiLa+mlIs28 qIHkwMsJhnb5oQEIixlIVCh1jg6unp81yNkhlR1WH3OMftz2q1FMhhz7Lg2l09sB tkXlnKNehnI= =eWVY -----END PGP SIGNATURE-----
2022. április 13.

ASB-2022.0078 - [Win] Microsoft Azure products: CVSS (Max): 7.2

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0078 Microsoft Patch Tuesday update for Microsoft Azure for April 2022 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Azure SDK for .Net Azure Site Recovery VMWare to Azure Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-26907 CVE-2022-26898 CVE-2022-26897 CVE-2022-26896 Comment: CVSS (Max): 7.2 CVE-2022-26898 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C OVERVIEW Microsoft has released its monthly security patch update for the month of April 2022. This update resolves 4 vulnerabilities across the following products: [1] Azure SDK for .Net Azure Site Recovery VMWare to Azure IMPACT Microsoft has given the following details regarding these vulnerabilities. Details Impact Severity CVE-2022-26896 Information Disclosure Important CVE-2022-26897 Information Disclosure Important CVE-2022-26898 Remote Code Execution Important CVE-2022-26907 Information Disclosure Important MITIGATION Microsoft recommends updating the software to the latest available version available on the Microsoft Update Catalog. [1]. REFERENCES [1] Microsoft Security Update Guidance https://portal.msrc.microsoft.com/en-us/security-guidance AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYmsuNLKJtyKPYoAQgesQ/9Fh1WKh0u685+1p3P3DbBdD3/S8B57k04 IjOceNks+H+Vdoz9dhSraXZu4xxFU/DYnQp95Kd5VR23lkuZBzjboXZsnF6U+i17 LHuEyJoCvVbOHncEyDODsrkM8lBq4QOCOYNq8N8z8dMuGLEAsfKTUwc8EjAmM9nO 2l/DJaZ5m8wSgEEalRuGbC6U5uqPOBPx8WrOpwlhq2+mmRyxAIzinpVlxGxlKhRZ rlsDph66ysd3fFuN/n7uDXaqlRy4PBqKXzaCMYQJmEvInAG5HjnKiod4xFaLbCla 4tCuRura2hgbHGRR5xz8xCaa/ct7VbCKwYesCglWmhEsS4xfD2oVN6RKsDoMwc7o o3C4rNZ+nRBzSRTeek+El65nXdooj9uXR6ZJp+xkDBtiROETy7lVDSUVj6g0poki 4bPsa2vzyNWjpAMIy4dcXY+QTCa3UlW0BAPrtJaJTR0XWzf/ZRwkMrxwjL0bwyf6 10U6bJzfal2MoFosKCM2phGEXfjAGZm/Ilr5PHs4ExNAx755yaxpXaJvSc5l3IFA OZnXg7g/Kp0nfPPluc+gU66JBN5aQsfjG3OeopSdevlvHDkDIT3EQpZEVwJhWI+f NdA+2vFXVuorP42CmNpcnXgsQMv5Z3gO5rh3e7jM1lbDJNTi1VJryc8ANYcK3XDk geghOAorujE= =vK2P -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1444.5 - UPDATE [Cisco] Cisco Products: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1444.5 Vulnerability in Spring Framework Affecting Cisco Products: March 2022 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Endpoint Clients and Client Software Network Management and Provisioning Voice and Unified Communications Devices Routing and Switching - Enterprise and Service Provider Video, Streaming, TelePresence, and Transcoding Devices Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-22965 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67 Comment: CVSS (Max): 9.8 CVE-2022-22965 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Revision History: April 13 2022: Updated the products under investigation, vulnerable products, and products confirmed not vulnerable. April 8 2022: Vendor updated vulnerable products and released patch for Cisco CX Cloud Agent Software April 6 2022: Vendor updated vulnerable products April 5 2022: Title update April 5 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability in Spring Framework Affecting Cisco Products: March 2022 Priority: Critical Advisory ID: cisco-sa-java-spring-rce-Zx9GUc67 First Published: 2022 April 1 23:45 GMT Last Updated: 2022 April 12 18:27 GMT Version 1.6: Interim Workarounds: No workarounds available CVE Names: CVE-2022-22965 CWEs: CWE-120 CVSS Score: 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released: CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report . This advisory will be updated as additional information becomes available. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67 Affected Products o Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products. The Vulnerable Products section will include Cisco bug IDs for each affected product. The bugs will be accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases. Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available. Products Under Investigation The following products are under active investigation to determine whether they are affected by the vulnerability that is described in this advisory. Network Management and Provisioning Cisco Connected Pharma Cisco Extensible Network Controller (XNC) Cisco Network Change and Configuration Management Cisco Nexus Dashboard Data Broker, formerly Cisco Nexus Data Broker Cisco Nexus Dashboard, formerly Cisco Application Services Engine Routing and Switching - Enterprise and Service Provider Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) Cisco Network Convergence System 2000 Series Cisco ONS 15454 Series Multiservice Provisioning Platforms Wireless Cisco Ultra Cloud Core - Session Management Function Cisco Cloud Hosted Services Cisco IoT Control Center Cisco Umbrella Vulnerable Products Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information is available. The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details. Product Cisco Bug Fixed Release ID Availability Endpoint Clients and Client Software Cisco CX Cloud Agent Software CSCwb41735 2.1.0 (20 Apr 2022) Network Management and Provisioning Cisco Automated Subsea Tuning CSCwb43658 Cisco Crosswork Data Gateway CSCwb43707 Cisco Crosswork Network Controller CSCwb43703 3.0.2 (29 Apr 2022) 2.0.2 (29 Apr 2022) Cisco Crosswork Optimization Engine CSCwb43709 3.1.1 (1 May 2022) 2.1.1 (1 May 2022) Cisco Crosswork Zero Touch Provisioning CSCwb43706 3.0.2 (29 Apr 2022) (ZTP) 2.0.2 (20 Apr 2022) Cisco Evolved Programmable Network 6.0.1.1 (29 Apr 2022) Manager CSCwb43643 5.1.4.1 (29 Apr 2022) 5.0.2.3 (29 Apr 2022) Cisco Managed Services Accelerator (MSX) CSCwb43667 Cisco Optical Network Planner CSCwb43691 7.5.2.1 (19 Apr 2022) Cisco WAN Automation Engine (WAE) Live CSCwb43708 7.4.0.2 (25 Apr 2022) 7.3.0.3 (29 Apr 2022) 7.5.2.1 (19 Apr 2022) Cisco WAN Automation Engine (WAE) CSCwb43708 7.4.0.2 (25 Apr 2022) 7.3.0.3 (29 Apr 2022) Data Center Network Manager (DCNM) CSCwb43637 12.1.1 (30 Jun 2022) Nexus Dashboard Fabric Controller (NDFC) CSCwb43637 12.1.1 (30 Jun 2022) Routing and Switching - Enterprise and Service Provider Cisco DNA Center CSCwb43648 Cisco Optical Network Controller CSCwb43692 2.0 (31 May 2022) Cisco Software-Defined AVC (SD-AVC) CSCwb43727 Voice and Unified Communications Devices 12.0 (30 May 2022) Cisco Enterprise Chat and Email CSCwb45202 12.5 (30 May 2022) 12.6 ES2 (15 May 2022) Video, Streaming, TelePresence, and Transcoding Devices Cisco Meeting Server CSCwb43662 Products Confirmed Not Vulnerable Cisco is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information becomes available. Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Cable Devices Cisco Continuous Deployment and Automation Framework Cisco Prime Cable Provisioning Collaboration and Social Media Cisco SocialMiner Cisco Webex Meetings Server Network Application, Service, and Acceleration Cisco Wide Area Application Services (WAAS) Network and Content Security Devices Cisco Adaptive Security Appliance (ASA) Software Cisco Firepower Device Manager (FDM) Cisco Firepower Management Center (FMC) Cisco Firepower System Software Cisco Identity Services Engine (ISE) Cisco Secure Email Gateway, formerly Email Security Appliance (ESA) Cisco Secure Email and Web Manager, formerly Cisco Content Security Management Appliance (SMA) Cisco Secure Network Analytics, formerly Cisco Stealthwatch Cisco Security Manager Network Management and Provisioning Cisco Business Process Automation Cisco CloudCenter Action Orchestrator Cisco CloudCenter Cost Optimizer Cisco CloudCenter Suite Admin Cisco CloudCenter Workload Manager Cisco CloudCenter Cisco Collaboration Audit and Assessments Cisco Common Services Platform Collector (CSPC) Cisco Connected Mobile Experiences Cisco Crosswork Change Automation Cisco Crosswork Network Automation Cisco Crosswork Situation Manager Cisco DNA Assurance Cisco Elastic Services Controller (ESC) Cisco Intelligent Node (iNode) Manager Cisco IoT Field Network Director, formerly Cisco Connected Grid Network Management System Cisco NCS 2000 Shelf Virtualization Orchestrator (SVO) Cisco Network Insights for Data Center Cisco Nexus Dashboard Cisco Nexus Insights Cisco Policy Suite for Mobile Cisco Policy Suite Cisco Prime Performance Manager Cisco Smart PHY Cisco ThousandEyes Endpoint Agent Cisco ThousandEyes Enterprise Agent Cisco Virtual Topology System - Virtual Topology Controller (VTC) VM Routing and Switching - Enterprise and Service Provider Cisco ACI HTML5 vCenter Plug-in Cisco ASR 5000 Series Routers Cisco Enterprise NFV Infrastructure Software (NFVIS) Cisco GGSN Gateway GPRS Support Node Cisco IOx Fog Director Cisco IP Services Gateway (IPSG) Cisco MME Mobility Management Entity Cisco Mobility Unified Reporting and Analytics System Cisco PDSN/HA Packet Data Serving Node and Home Agent Cisco PGW Packet Data Network Gateway Cisco SD-WAN Cloud OnRamp for Co-Location Cisco System Architecture Evolution Gateway (SAEGW) Cisco Ultra Packet Core Cisco Ultra Services Platform Ultra Cloud Core - Redundancy Configuration Manager Routing and Switching - Small Business Cisco Business Dashboard Unified Computing Cisco HyperFlex Voice and Unified Communications Devices Cisco BroadWorks Cisco Cloud Connect Cisco Emergency Responder Cisco Unified Attendant Console Advanced Cisco Unified Attendant Console Business Edition Cisco Unified Attendant Console Department Edition Cisco Unified Attendant Console Enterprise Edition Cisco Unified Attendant Console Premium Edition Cisco Unified Communications Manager IM & Presence Service Cisco Unified Communications Manager Session Management Edition Cisco Unified Communications Manager Cisco Unified Contact Center Express Cisco Unified Customer Voice Portal Cisco Unified Intelligence Center Cisco Unity Connection Cisco Virtualized Voice Browser Video, Streaming, TelePresence, and Transcoding Devices Cisco Expressway Series Cisco TelePresence Integrator C Series Cisco TelePresence MX Series Cisco TelePresence Management Suite Cisco TelePresence Precision Cameras Cisco TelePresence Profile Series Cisco TelePresence SX Series Cisco TelePresence System EX Series Cisco TelePresence Video Communication Server (VCS) Cisco Touch Cisco Video Surveillance Operations Manager Cisco Vision Dynamic Signage Director Cisco Webex Board Series Cisco Webex Desk Series Cisco Webex Room Navigator Cisco Webex Room Series Wireless Cisco Ultra Cloud Core - Access and Mobility Management Function Cisco Ultra Cloud Core - Network Repository Function Cisco Ultra Cloud Core - Policy Control Function Cisco Ultra Cloud Core - Redundancy Configuration Manager Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure Cisco Cloud Hosted Services Cisco BroadCloud Cisco Industrial Asset Vision Cisco IoT Operations Dashboard (IOTOC) Cisco Kinetic for Cities Cisco Registered Envelope Service Cisco Smart Collector - Lifecycle Management Cisco Unified Communications Manager Cloud Cisco Webex Cloud-Connected UC (CCUC) Workarounds o Any workarounds will be documented in the product-specific Cisco bugs, which are identified in the Vulnerable Products section of this advisory. Fixed Software o For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. Source o This vulnerability was publicly disclosed by VMware on March 31, 2022. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Action Links for This Advisory o Snort Rule 30790 Snort Rule 30791 Snort Rule 30792 Snort Rule 30793 Snort Rule 59416 URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67 Revision History o +---------+----------------------------+----------+---------+-------------+ | Version | Description | Section | Status | Date | +---------+----------------------------+----------+---------+-------------+ | | Updated the products under | | | | | 1.6 | investigation, vulnerable | Affected | Interim | 2022-APR-12 | | | products, and products | Products | | | | | confirmed not vulnerable. | | | | +---------+----------------------------+----------+---------+-------------+ | | Updated the products under | | | | | 1.5 | investigation, vulnerable | Affected | Interim | 2022-APR-11 | | | products, and products | Products | | | | | confirmed not vulnerable. | | | | +---------+----------------------------+----------+---------+-------------+ | | Updated the products under | | | | | 1.4 | investigation, vulnerable | Affected | Interim | 2022-APR-07 | | | products, and products | Products | | | | | confirmed not vulnerable. | | | | +---------+----------------------------+----------+---------+-------------+ | | Updated the products under | | | | | 1.3 | investigation, vulnerable | Affected | Interim | 2022-APR-06 | | | products, and products | Products | | | | | confirmed not vulnerable. | | | | +---------+----------------------------+----------+---------+-------------+ | | Updated the products under | | | | | 1.2 | investigation, vulnerable | Affected | Interim | 2022-APR-05 | | | products, and products | Products | | | | | confirmed not vulnerable. | | | | +---------+----------------------------+----------+---------+-------------+ | | Updated the products under | | | | | 1.1 | investigation, vulnerable | Affected | Interim | 2022-APR-04 | | | products, and products | Products | | | | | confirmed not vulnerable. | | | | +---------+----------------------------+----------+---------+-------------+ | 1.0 | Initial public release. | - | Interim | 2022-APR-01 | +---------+----------------------------+----------+---------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYY5uNLKJtyKPYoAQhlERAAsDzA9FhjzLiVnjWYIV7OYUptAstBRqfX 7Fqk4hTWdV17Xciu62601HfiNOlZuAiu+YB1jjAOZw7ipfcKkPnGzHyg5YiSc3En tEgx8bMWxVY3aTR80Ikf8sH3Sd5daZIwYaR0At6DCR/T4ENFBDqjTIJmOh4pUJO1 ANCzu/MRTj7FoQKg5Py6ZcNhX46FQAOuFdWet/oyiOdhWrNI/8QAbRDJmNnyCG4+ GyUBrnZ8uL24V73Tsi0yfjSn1AuqXG1ykveeMsEasmhZi3WHGc6u1DSDkK1L/AMu JVjkdRlUw5obmAgSZTbV3mNUloVYRT0mMkxjIDAxlEBn4CdCi9dSKYqa6QuxyTs9 QECEeqanxAFXN1Y5AfMCq3KFinhYmIsunB4Cd9VRMR2cea7qAnLkNcRy8xYID91H eqEeSn+rGdYYJJymLPk1aQbcGQamx2OiPTWNUt2NZ7v9l5QS1z/Yjx9kvnLkg6Uj znsePjPdKVedgZvOV2xtxSvrz18pY02CYOd7+n7S2X3oGv6xN9hdHwoe9MF1QhXs p9fqZV/EZ87UOAyiV+vM253wE7MahNl9g0lCoLdykB59yrARMjYA/Ht9tN9u278c F0LopKvJ4nyyQtIiRFwFXJl4ig2O1QvWqCfPtf1JuNwduHM02z7zOALzlr4LNAF9 hnOH4aqpPOU= =MKF8 -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1596 - [Ubuntu] Subversion: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1596 USN-5372-1: Subversion vulnerabilities 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Subversion Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2022-24070 CVE-2021-28544 Original Bulletin: https://ubuntu.com/security/notices/USN-5372-1 Comment: CVSS (Max): 7.5 CVE-2022-24070 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- USN-5372-1: Subversion vulnerabilities 12 April 2022 Several security issues were fixed in Subversion. Releases o Ubuntu 21.10 o Ubuntu 20.04 LTS Packages o subversion - Advanced version control system Details Evgeny Kotkov discovered that Subversion servers did not properly follow path-based authorization rules in certain cases. An attacker could potentially use this issue to retrieve information about private paths. (CVE-2021-28544) Thomas Weissschuh discovered that Subversion servers did not properly handle memory in certain configurations. A remote attacker could potentially use this issue to cause a denial of service or other unspecified impact. (CVE-2022-24070) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10 o ruby-svn - 1.14.1-3ubuntu0.1 o python3-subversion - 1.14.1-3ubuntu0.1 o subversion-tools - 1.14.1-3ubuntu0.1 o libapache2-mod-svn - 1.14.1-3ubuntu0.1 o libsvn1 - 1.14.1-3ubuntu0.1 o subversion - 1.14.1-3ubuntu0.1 o libsvn-java - 1.14.1-3ubuntu0.1 o libsvn-perl - 1.14.1-3ubuntu0.1 Ubuntu 20.04 o ruby-svn - 1.13.0-3ubuntu0.1 o subversion-tools - 1.13.0-3ubuntu0.1 o libapache2-mod-svn - 1.13.0-3ubuntu0.1 o python-subversion - 1.13.0-3ubuntu0.1 o libsvn1 - 1.13.0-3ubuntu0.1 o subversion - 1.13.0-3ubuntu0.1 o libsvn-java - 1.13.0-3ubuntu0.1 o libsvn-perl - 1.13.0-3ubuntu0.1 In general, a standard system update will make all the necessary changes. References o CVE-2021-28544 o CVE-2022-24070 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYWl+NLKJtyKPYoAQjRsA//ZcyokGtIBhs5Z6PswB/Kkh2UZdZPVcNk pXrJzXaOPNwowayLcCfj/Adon/kKnf7QAkc3htacx6luV/bLo+MkYzF+FKDWXa2R 7UEMAeqgFkLrfcbi4b2lPGQYRIec02xiJpLQUDcSsGnW0BVrz0gCq4oTSzbSYIfo PQDAVW9OYaMh12s4I47PDxiFj4vQgLzz/u80GYQMARH2Xa29tennVmqtBqMrXBdL CMNIvrmd4wtXnuUIxXll1lVbEsBypTTF8vCDZ5E1cxPHmEagryawh/gB/symNOPH BMdVEBGUv6cjoF0uMz0raRi7YOdEH+KvMNZIB5PmGTShaILtX3njI0Dh0sf+ZoFp 6+3lsSv+riSer4fIngebXS81GWDnaNnTrJP+/vcQ5BE3aT/Cih/OxFWoHpoDAfd2 AqnuskmmfHPA1RMC0mrKZ2Z8g8ZTLtRpBU7+ToeJOi3W1mqoRLSFy85S6lm2coBF L2hNUbOFO6Gx2LLBe1Ya6lSMxwO4bBoYu3ulq6Q6EdAoMxI+2Z5Z/gS5sJzc2KLS D4pfYFqj7HUSXxdU3S5lNanGDNDZxS1X7nuaFYXFk6BXuW9OGdVtlAf98Kxvgoa8 v3MPwC1BlUdXYiZIKtF7H0u8phTuUdPd4FGV/+aW813Ux7YeYSWsxaMRBrKFOTrV P7zH5D1HfbY= =sOut -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1595 - [Ubuntu] Git: CVSS (Max): None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1595 USN-5376-1: Git vulnerability 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Git Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2022-24765 Original Bulletin: https://ubuntu.com/security/notices/USN-5376-1 Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- USN-5376-1: Git vulnerability 12 April 2022 Git could be made to run arbitrary commands in platforms with multiple users support. Releases o Ubuntu 21.10 o Ubuntu 20.04 LTS o Ubuntu 18.04 LTS Packages o git - fast, scalable, distributed revision control system Details discovered that Git incorrectly handled certain repository paths in platforms with multiple users support. An attacker could possibly use this issue to run arbitrary commands. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10 o git - 1:2.32.0-1ubuntu1.1 Ubuntu 20.04 o git - 1:2.25.1-1ubuntu3.3 Ubuntu 18.04 o git - 1:2.17.1-1ubuntu0.10 In general, a standard system update will make all the necessary changes. References o CVE-2022-24765 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYWj+NLKJtyKPYoAQgfvQ//W3Fj0HbSlgA82ATqUn2WbRgbJJq6qXkG a2MRCNri/aC2is962s9K2oLLeCAvMb5Wu24al9Fs2o6YAQ1NH9TNnXVKrxJGoewW f8S8ItBdW2mak1Nlx127aTWWQonyzlOTjQuuVlJjxxxDkyzhsTYuRkYveUr/vgn/ pUxBw/5JQDUIzrWK71COhqk6OnYFkDvZ0cvPzW9ktXhe5p14DxS8lcjish14gp2c U7Ve9Anx/W6J3prZf7oj7/xtDKpIqOA9tV8iTgNKLGzsopoAquPp8mq4TuwXoaXg pF5sMSHER5nymDYxRw+isJZ2L9GL0/P9m3vAAyb2o+WlNfyyAUxBeI0iMM05VrBV JWDkWOUFwxtfZ5MJDmRchUnXImtU/N/LpAfSVtPjGDkR4/5BpBMWJnkaWJLKbCM5 da8KnDaVrjrTgZ30cswXqUqH6SR/43bYiMbQlgpzdMi5dFmVMTT+qaspXz5nk4Mp fW147iiGjuf7/tjDjH2dvSLBO5GUaYVIzT0adNUSJmZNUvNqt6C6GPojMas5H527 EWv1CIGtX0z81cVmQzkjg0uFJpiAuFhCQ55gMk9pRJfUZm90glXrTM31wS4e8gnJ 6fpuXeFPzT6pbLv5i+884WKhvGrLug40a47P/Kg1azFxDE10iannaGRLrF2iGtKU kVZmYziR9B4= =6IKW -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1594 - [Debian] zabbix: CVSS (Max): 4.4

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1594 zabbix security update 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: zabbix Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-24919 CVE-2022-24917 CVE-2022-24349 Original Bulletin: https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html Comment: CVSS (Max): 4.4 CVE-2022-24919 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2980-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 12, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : zabbix Version : 1:3.0.32+dfsg-0+deb9u3 CVE ID : CVE-2022-24349 CVE-2022-24917 CVE-2022-24919 Several security vulnerabilities have been discovered in zabbix, a network monitoring solution. An authenticated user can create a link with reflected Javascript code inside it for graphs, actions and services pages and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. For Debian 9 stretch, these problems have been fixed in version 1:3.0.32+dfsg-0+deb9u3. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmJVazRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQwwhAAvmv5Pi5YS/Shw/3BVYWwIemCUQKOJ9kxGFluhjNHcX2mW+TbI8oLs1vJ wbtnjOMIgeBXBbr5/R4Ix44/btN3e75qYgAvoXccxbDNhiGJZlkdHxy6YJ4Ms35N 1hdQkmtNGFtnrgAT67apurjXPMUiEfqXwlN1LYcCmB+iIhwzLQfO4D0GP4q6BQEc hRKn3nxwyNCs5Qo4X6bUqkrjg00kD2rd2ucMt7n/ldzESH2IrwOHKaUDTZQ4rvEw 3b9f9s5JXa8q6WtdCLedDTch+V3c4O7OXXZRXJ85w4usNBnhJ8oFYAHtAAvRpPEU B3JyV+y/SPbpHeVExD1H6+mfEjLVvjQZQa3xn0iLsPGSptHNqqwUIUxMU3R4BjG7 o625pzl3XWSPBzwiyTuY90xxuMJwnDLUKmK2NvU5psu3HOnssvJKnGnNEfN62/iO TQ7AMTVaavXB8J5oyLWDY0qlheqL6kjmz1O6nR5VMHcCbu2EVH370bNO9uvPqJUJ bivg6sdRym0qmFLDRQfQ2poe2GHVKdVdNYcJBwLGyu86IcVO6n4ZKmoeLsPY6jTV OhfvTnl+MpYws3e/5Vgj3nFAdA/ilCbb1ac71snN3qEQoP6M1GnZD9Adn6Plde78 HjC2s27XSb4DExRckj1BVyQuBTUsVywdJIMIqEtNgnEUNKaVOCg= =L6QL - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYWieNLKJtyKPYoAQgjiw/+PTnNLVCm8G4VDBpZ/G8B0AUQZW75StEX omVzlLk29cOpwbomudm7BA/mBzmYiiZshX3WJqKsOxMJWOC4tQMpdgyGZxjhSQl4 PepPFvkye9a5Bzu9YgHNqxHGCHtRSDcg+FIpD4pRvL/lT6qO8p47fuXL3essgkuU S/7E4EB0lHpC+W4MdDPEfh2sxlJJndwceUjlFlt5XW7xASQSazZVELk+bwd/MB8J pipD6xdUsfn2nfdeogzO1N98aLcTmK2/0t/MzHeS7RlpTjYNUiRYt/+VSLxeEhZ7 26lsCj0tvB+xnGlBJjY/zlNlwi3w6QAhQZYUsagDXhJ5XiCDmhdj1KyYJeT7seJ/ DjZHcJyNdrn0idPVV0Hc46bZiPcp6op1aeNhOvoqpgn3L8lkGSHAMmHYpelKdOVR cU91vY0xk/mdOAfS1Bt7hsO8cCKX4Oy1K5oJVhZ3SwoLa24fdtMyqAs1mqUpkv9d sMKJ3hgKi1Sz2ZeBT85YZTQMLba8tROs7DbgUwaYjbZZpwaOdW/eFfdoKMYe7/jQ noYcGJhn40fxcV0jFrIXarPW1ou4ZZjBPkZjKaNl/551hHsBSVXUyK2CwlmXw7t2 Epal9+eeiTC7nnMzC4z8GBV+7VdAbow0Z4UoGOpe1WbANpjNhp1u23ZN+H5LLqN5 Oc3kNBhfb8M= =eNiA -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1593 - [RedHat] Red Hat Integration Camel-K 1.6.5: CVSS (Max): 8.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1593 Red Hat Integration Camel-K 1.6.5 security update 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Integration Camel-K 1.6.5 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-22965 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1333 Comment: CVSS (Max): 8.1 CVE-2022-22965 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Integration Camel-K 1.6.5 security update Advisory ID: RHSA-2022:1333-01 Product: Red Hat Integration Advisory URL: https://access.redhat.com/errata/RHSA-2022:1333 Issue date: 2022-04-12 CVE Names: CVE-2022-22965 ===================================================================== 1. Summary: A micro version update (from 1.6.4 to 1.6.5) is now available for Red Hat Integration Camel K. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: A micro version update (from 1.6.4 to 1.6.5) is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section. Security Fix(es): * spring-beans: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2070348 - CVE-2022-22965 spring-framework: RCE via Data Binding on JDK 9+ 5. References: https://access.redhat.com/security/cve/CVE-2022-22965 https://access.redhat.com/security/vulnerabilities/RHSB-2022-003 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q2 https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlX6IdzjgjWX9erEAQjfGQ//ff8/J2BxiGKD0zB6RGPrgwCaSvkVtV7y 8Lld/xKCQApjQzVXeM8pfkbhIn0+YwV41raVatrc7c8s8iKGcddyF4h7rQpk78eF +X+S/6oB63e78O/bCRRYsQFCYaAYt+JDVrG4WAwbDJ27sUGQ+99hC69Zv7cBvH5u oCAa9YjMZddlBZmYmSsfSx2VqPfRQNNEczL0DJYpwZtsNmgQxeQiU1e9advtr/wW 7Wfev8zuUy9UlbNjzFVi+ynvzeNOOYomAfpyRYMxfY6IeOvfDsfiAKhi/PfQIX3L oCGxfGzP58AAeeb4OGIhTY9Z+yXUwYjmgIiwIpOfbz4+ewos6it6XUXqdYMKYFSd QTs/tWDftxZquB0Zg4DkAHlNFfJPSN3M4HVsOOczIV6cR1G5DNLsOLACCjJOe9py 6bwgpB0E0yjkMAxokLyETwv8j9NskwMV9ns4nTge7HiGOybZXwXGXKn/gya63uUp NFvHdAuAqzP5Omh6DOTgHzc4sKv1SRVAwI3cokCcoKmzkLwXNGYZC3jh42xhBZDj m8OEmHOhtWdo6rBNN0lc1gjIdzHIQXFS+qhlicqD1JGvhSDCqSQOVP3Z1YwKJO6q R4r9nB+kN/u3yBMuuGD8WCB6w4y6TV3d5MoAi4l0gu6alHBsTrE0r5tLRNGTstI6 2e9xMQYImAM= =JwkL - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYWb+NLKJtyKPYoAQizkA/9Fys+1OFq+tygIbCnrAI+WNh1tXT2f8YX k7UPDz/O2yI07X6Ovs+dzYDQhdD+NQLslXTTtDdMMsjyrickgbOo/FlYNmNUKEGw pk4rMT0O8aZ2egF8kR4q6gV51BYcSfHvaVG82SOCSp1/E+YMFS6BAn3NS+8O4FWi Urunhb6hhchUee2nFryTtPj1e+n+NZ36qha30QqqoKgTV6J262F6Vvt7ogrZr9Ut utMaduYDDHtnHsFXPUC/Lz/giEn31TmgstB7Zcq4KikoeXYJvdqycF8bUyGSbdVR 2PMgxZBb2KhG/9wmSSEirz5F0oLkgQ18jb9KbRTkAj73RmISdK4nPFHrA1y792+1 TOjilxEJ/x4i5BIJjgeJh2ScIpGteTu+rTNNjAVIRr8omSMOMPT0X3d0X88JlMX6 FgAqOCs53R2SkPIek0c8tTP9BKqAG90mLQkI/OKw9EJaDQkGoWqYLr0qR4qj7Eya vaa/shVuWTza3qe6sz1xGw1MjaQsYbFMgthTbjLYUaq8zYBjmgZuFz9YYY3Vu7ZZ M7fdnbEcncchBSq0yZoi+AU5P3w1n6Exa/DMw5G/5MeA1YWNeFqPcm4E4gYd8ZS9 Iq8I4qKolULdJO1i8lQmjyRtISYJL9q0vwAFI4ILoPACnxLqDvbFUVauLxYzf0Ml xwi/PW4ne9g= =6zCs -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1592 - [SUSE] xz: CVSS (Max): 8.4

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1592 Security update for xz 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xz Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-1271 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221160-1 Comment: CVSS (Max): 8.4 CVE-2022-1271 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for xz ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1160-1 Rating: important References: #1198062 Cross-References: CVE-2022-1271 Affected Products: HPE Helion Openstack 8 SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xz fixes the following issues: o CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-1160=1 o SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2022-1160=1 o SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2022-1160=1 o SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2022-1160=1 o SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-1160=1 o SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-1160=1 o SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2022-1160=1 o SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-1160=1 o SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-1160=1 o SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2022-1160=1 o SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-1160=1 o SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-1160=1 o HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2022-1160=1 Package List: o SUSE OpenStack Cloud Crowbar 9 (noarch): xz-lang-5.0.5-6.7.1 o SUSE OpenStack Cloud Crowbar 9 (x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE OpenStack Cloud Crowbar 8 (noarch): xz-lang-5.0.5-6.7.1 o SUSE OpenStack Cloud Crowbar 8 (x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE OpenStack Cloud 9 (x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE OpenStack Cloud 9 (noarch): xz-lang-5.0.5-6.7.1 o SUSE OpenStack Cloud 8 (noarch): xz-lang-5.0.5-6.7.1 o SUSE OpenStack Cloud 8 (x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 xz-devel-5.0.5-6.7.1 o SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): xz-lang-5.0.5-6.7.1 o SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 o SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 o SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): xz-lang-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP5 (noarch): xz-lang-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): xz-lang-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): xz-lang-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP3-BCL (noarch): xz-lang-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP2-BCL (noarch): xz-lang-5.0.5-6.7.1 o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 o HPE Helion Openstack 8 (noarch): xz-lang-5.0.5-6.7.1 o HPE Helion Openstack 8 (x86_64): liblzma5-32bit-5.0.5-6.7.1 liblzma5-5.0.5-6.7.1 liblzma5-debuginfo-32bit-5.0.5-6.7.1 liblzma5-debuginfo-5.0.5-6.7.1 xz-5.0.5-6.7.1 xz-debuginfo-5.0.5-6.7.1 xz-debugsource-5.0.5-6.7.1 References: o https://www.suse.com/security/cve/CVE-2022-1271.html o https://bugzilla.suse.com/1198062 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYWG+NLKJtyKPYoAQgnjhAAhs2muCCd5dr6JvNr9ba//C3Av1v4aKNz lOXkA9SyT24Ao7KSPyfgpoV3jtn36//75d1J4eCpwEpVC5+Om2V2L8M17jgFrIfL +ilYG9X80AdsHbPqpqfp38xAHD+6mf06JSjNuHsI1u/uy7AGCVfqCCzdBBY1MVWh N3cDJP4U3D6hyrE00yq54Fp05hj5TeBmrC2d4om8KIqegGLttJ2MNxb7/fo7TYv2 MsQRVfZ7n8gMrhfyIaLaF2DeNehODbabc8SasCZtVa8pEKn9g7Ey2qC/nAcZo+Ps M6OljmcylB1R/HAl1e6WziVqwTHTvoSdHmX24hSCR3+C6bPd6x9oy54T7G9CGPIM EEtPAOccYJBV35gqvCCWCVcKrp4PPBEqnZ/V+SkMA9n4oRIq+Upk+DO2pmkQRSA6 xi4vwr2jbUM68irXkw1rfGVJrXCRzs37KZjCZOgLUnss1rBrtSqBCJlXwL74F1Tp 38mdxUjQqjRqpC3KO+5C5NiS/bshb77yqnp90Pq2wDn6rT3Tip3xtjEJM7yC3r5f 9xlsHu2oNflUL/iIhi4oEtRQo1zmrFD/Z+jBNJNyBnUpIJAYMwSsKWSw3WFadXez jFhhgNH0S5qg9yNlFqJcZUgxCBwW15thcPk74gXXn3DvVtYnPb3QkImhEtbseB/M 7d2YXOnVLZU= =VGyB -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1591 - [SUSE] xz: CVSS (Max): 8.4

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1591 Security update for xz 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xz Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-1271 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221158-1 Comment: CVSS (Max): 8.4 CVE-2022-1271 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for xz ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1158-1 Rating: important References: #1198062 Cross-References: CVE-2022-1271 Affected Products: SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP4 SUSE Linux Enterprise Realtime Extension 15-SP2 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 SUSE Manager Server 4.2 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xz fixes the following issues: o CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-1158=1 o openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1158=1 o SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1158=1 o SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1158=1 o SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1158=1 o SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1158=1 o SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1158=1 o SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-1158=1 o SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1158=1 o SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1158=1 o SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1158=1 o SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1158=1 o SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2022-1158=1 o SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1158=1 o SUSE Linux Enterprise Module for Basesystem 15-SP4: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1158=1 o SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1158=1 o SUSE Linux Enterprise Micro 5.2: zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-1158=1 o SUSE Linux Enterprise Micro 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1158=1 o SUSE Linux Enterprise Micro 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-1158=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1158=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1158=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1158=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1158=1 o SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1158=1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1158=1 o SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-1158=1 o SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2022-1158=1 o SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. I will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o openSUSE Leap 15.4 (noarch): xz-lang-5.2.3-150000.4.7.1 o openSUSE Leap 15.4 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 xz-devel-32bit-5.2.3-150000.4.7.1 o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o openSUSE Leap 15.3 (noarch): xz-lang-5.2.3-150000.4.7.1 o openSUSE Leap 15.3 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 xz-devel-32bit-5.2.3-150000.4.7.1 o SUSE Manager Server 4.1 (ppc64le s390x x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Manager Server 4.1 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Manager Server 4.1 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Manager Retail Branch Server 4.1 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Manager Retail Branch Server 4.1 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Manager Proxy 4.1 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Manager Proxy 4.1 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server for SAP 15 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server for SAP 15 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP2-BCL (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP1-BCL (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Server 15-LTSS (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Realtime Extension 15-SP2 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Module for Basesystem 15-SP4 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Module for Basesystem 15-SP4 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 o SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Enterprise Storage 7 (aarch64 x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Enterprise Storage 7 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Enterprise Storage 7 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE Enterprise Storage 6 (aarch64 x86_64): liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE Enterprise Storage 6 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 o SUSE Enterprise Storage 6 (noarch): xz-lang-5.2.3-150000.4.7.1 o SUSE CaaS Platform 4.0 (x86_64): liblzma5-32bit-5.2.3-150000.4.7.1 liblzma5-32bit-debuginfo-5.2.3-150000.4.7.1 liblzma5-5.2.3-150000.4.7.1 liblzma5-debuginfo-5.2.3-150000.4.7.1 xz-5.2.3-150000.4.7.1 xz-debuginfo-5.2.3-150000.4.7.1 xz-debugsource-5.2.3-150000.4.7.1 xz-devel-5.2.3-150000.4.7.1 xz-static-devel-5.2.3-150000.4.7.1 o SUSE CaaS Platform 4.0 (noarch): xz-lang-5.2.3-150000.4.7.1 References: o https://www.suse.com/security/cve/CVE-2022-1271.html o https://bugzilla.suse.com/1198062 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYWEeNLKJtyKPYoAQg+3w/+IeolCqKBH6+AVwd+SuKT/vKf/feuSGmk E6XVXJtLzm91vc7AJalRPy8pOI9qLUlcYra2JapUkr9/h1snlaj0iwe+1vGsBz0C cn7YUt2OKqpTz/Ulh/ax8W2LSscT83uLnP+mSjriRJ+s0aEelXJ3MowoAQcXVkg2 8ZaSFKLsn6uAq8iu6C3F75xoc5LQW5VA1HCefyId3jKndpdUpvpd1yw+HBcM95ia Qo3zZ4K69yzj+WxPQ0pAF/wiOJgL3pnuEACWM3ln/cReL3YzHaSF0iEq9D1BX8ML +hbNpxi9n0v38GF8Mgifx/4vksqRTVR9GVwBlyuq8dHyFcszsIraQxDd5WDaRGbe vug1n+rh2ORNNoFwOJO8TbaaghmulhnptofeC9QumIeMWRMg/wsDTxz61sTNGr8n 9pkBiY2H84vw9G6J3rTYOneYXe7YgDfruQQJnefgW+/Wv7Nn51mzSaZbyE3EYSBS C8NMQ8TOeLHdYotJMnkFjww92PBTZhk1LWN3Ahk7RGpvHSqNAIuPOAdAdKXwJ5dP xJqLFVhiCrRYRWhy0j2XCFkmX9VRsUzhWB6aIcLl1MFAmOH0hYNg5N23N++IAyrN xF9hLGN+bHy+KsF+UVQmIAPBA5L/TPo6/afxIEe+hPyUKxxFccFgSv4LAr7zi2aB A8amhhU/GXk= =VUSR -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1590 - [SUSE] xz: CVSS (Max): 8.4

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1590 Security update for xz 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xz Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-1271 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-202214938-1 Comment: CVSS (Max): 8.4 CVE-2022-1271 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for xz ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:14938-1 Rating: important References: #1198062 Cross-References: CVE-2022-1271 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xz fixes the following issues: o CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-xz-14938=1 o SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xz-14938=1 o SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xz-14938=1 o SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xz-14938=1 Package List: o SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): liblzma5-5.0.3-0.12.7.1 xz-5.0.3-0.12.7.1 xz-lang-5.0.3-0.12.7.1 o SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): liblzma5-32bit-5.0.3-0.12.7.1 o SUSE Linux Enterprise Point of Sale 11-SP3 (i586): liblzma5-5.0.3-0.12.7.1 xz-5.0.3-0.12.7.1 xz-lang-5.0.3-0.12.7.1 o SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): xz-debuginfo-5.0.3-0.12.7.1 xz-debugsource-5.0.3-0.12.7.1 o SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): xz-debuginfo-5.0.3-0.12.7.1 xz-debugsource-5.0.3-0.12.7.1 References: o https://www.suse.com/security/cve/CVE-2022-1271.html o https://bugzilla.suse.com/1198062 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYWBuNLKJtyKPYoAQiB8xAAnH23Shr1779thCAJ8SxdlFHsmmUwO3Xo x3nIQS/Q8j4Y6gHxr/P6QCmvUUVmnAnFz6l75Z9VttQVc0ayj+GlEeAJOSaZPV2j cXxc4Mh2+Ttg4op69peKsV/ZSzrx72UoFS3aLJKP/pcFrEu7GAzKPNJWC+v5GDze F/fN5wB7S07YjLir2gUYBz3R4VmzI1G33g/xr+Kgv5uNvIcIjNqgI7KvPenke0UY SsEavzZOAvhH9OQR4uMmgff6ebvBj7hlzD40lLmat6IvD5lW+tDd1+kYTxzrhYfu NfIiym+IbvqYkGMq4dFgyxQ3h61u8+8nMcdM9mNKh2eeVBcey0ktQCkIzRGdnCoC zgZ71BYRrH4msLfZq9yKUXjGY6p/Xw3z7/tiiymG3Ahr294VdCmg+fLtH0bNQq0N 0RdDnLs51rM3dtnOI+Xm2HiAP0YUoy+pvk4SjZz5AP97Pq7Z555Nv5yGPgXwyug/ sxHifaDzGTV3pMC2JFn9zQxCJxzZ+07s4eyeMDGfCAW9U3BNhNsH0WoWi3H6W3Rw juP77j/ETlkrCKNeVz4gjwSdogajmtKRQz5klW2yDUxIXoq6ddEciSpDqyFd6HbK r6ceWkJTgu4IhnvJ4tvvwZT4Xz+BvatBiF7CCapIWt/XiZZOg/p9vaVY36A/2uGQ SH3LLBCZ7Bk= =HFeC -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1589 - [SUSE] Linux Kernel: CVSS (Max): 8.4

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1589 Security update for the Linux Kernel 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Linux Kernel Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-28390 CVE-2022-28389 CVE-2022-28388 CVE-2022-27666 CVE-2022-27223 CVE-2022-23042 CVE-2022-23041 CVE-2022-23040 CVE-2022-23039 CVE-2022-23038 CVE-2022-23037 CVE-2022-23036 CVE-2022-1205 CVE-2022-1199 CVE-2022-1198 CVE-2022-1195 CVE-2022-1055 CVE-2022-1048 CVE-2022-1016 CVE-2022-1011 CVE-2022-0854 CVE-2022-0850 CVE-2021-45868 CVE-2021-45402 CVE-2021-39698 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221163-1 Comment: CVSS (Max): 8.4 CVE-2022-1055 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1163-1 Rating: important References: #1065729 #1156395 #1175667 #1177028 #1178134 #1179639 #1180153 #1189562 #1194589 #1194625 #1194649 #1194943 #1195051 #1195353 #1195640 #1195926 #1196018 #1196130 #1196196 #1196478 #1196488 #1196761 #1196823 #1196956 #1197227 #1197243 #1197245 #1197300 #1197302 #1197331 #1197343 #1197366 #1197389 #1197460 #1197462 #1197501 #1197534 #1197661 #1197675 #1197677 #1197702 #1197811 #1197812 #1197815 #1197817 #1197819 #1197820 #1197888 #1197889 #1197894 #1198027 #1198028 #1198029 #1198030 #1198031 #1198032 #1198033 #1198077 Cross-References: CVE-2021-39698 CVE-2021-45402 CVE-2021-45868 CVE-2022-0850 CVE-2022-0854 CVE-2022-1011 CVE-2022-1016 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 CVE-2022-1198 CVE-2022-1199 CVE-2022-1205 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 CVE-2022-27223 CVE-2022-27666 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 Affected Products: SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise Module for Public Cloud 15-SP3 SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Manager Proxy 4.2 SUSE Manager Server 4.2 openSUSE Leap 15.3 ______________________________________________________________________________ An update that solves 25 vulnerabilities and has 33 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: o CVE-2022-0854: Fixed a memory leak flaw was found in the Linux kernels DMA subsystem. This flaw allowed a local user to read random memory from the kernel space. (bnc#1196823) o CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197227) o CVE-2022-1199: Fixed null-ptr-deref and use-after-free vulnerabilities that allow an attacker to crash the linux kernel by simulating Amateur Radio. (bsc#1198028) o CVE-2022-1205: Fixed null pointer dereference and use-after-free vulnerabilities that allow an attacker to crash the linux kernel by simulating Amateur Radio. (bsc#1198027) o CVE-2022-1198: Fixed an use-after-free vulnerability that allow an attacker to crash the linux kernel by simulating Amateur Radio (bsc#1198030). o CVE-2022-1195: Fixed an use-after-free vulnerability which could allow a local attacker with a user privilege to execute a denial of service. (bsc# 1198029) o CVE-2022-28389: Fixed a double free in drivers/net/can/usb/mcba_usb.c vulnerability in the Linux kernel. (bnc#1198033) o CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel. (bnc#1198032) o CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel. (bnc#1198031) o CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock. (bsc# 1197331) o CVE-2022-1055: Fixed a use-after-free in tc_new_tfilter that could allow a local attacker to gain privilege escalation. (bnc#1197702) o CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c. (bsc#1196761) o CVE-2022-27666: Fixed a buffer overflow vulnerability in IPsec ESP transformation code. This flaw allowed a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation. (bnc#1197462) o CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file. (bnc#1197366) o CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343) o CVE-2022-27223: Fixed an out-of-array access in /usb/gadget/udc/ udc-xilinx.c. (bsc#1197245) o CVE-2021-39698: Fixed a possible memory corruption due to a use after free in aio_poll_complete_work. This could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1196956) o CVE-2021-45402: Fixed a pointer leak in check_alu_op() of kernel/bpf/ verifier.c. (bsc#1196130). - CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040, CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488) The following non-security bugs were fixed: o ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board (git-fixes). o ACPI: APEI: fix return value of __setup handlers (git-fixes). o ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 (git-fixes). o ACPI: CPPC: Avoid out of bounds access when parsing _CPC data (git-fixes). o ACPI: docs: enumeration: Discourage to use custom _DSM methods (git-fixes). o ACPI: docs: enumeration: Remove redundant .owner assignment (git-fixes). o ACPI: properties: Consistently return -ENOENT if there are no more references (git-fixes). o ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU (git-fixes). o ALSA: cmipci: Restore aux vol on suspend/resume (git-fixes). o ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction (git-fixes). o ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 (git-fixes). o ALSA: hda/realtek: Add quirk for ASUS GA402 (git-fixes). o ALSA: oss: Fix PCM OSS buffer allocation overflow (git-fixes). o ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec (git-fixes). o ALSA: pcm: Add stream lock during PCM reset ioctl operations (git-fixes). o ALSA: spi: Add check for clk_enable() (git-fixes). o ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB (git-fixes). o ASoC: atmel_ssc_dai: Handle errors for clk_enable (git-fixes). o ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe (git-fixes). o ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data (git-fixes). o ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put (git-fixes). o ASoC: dmaengine: do not use a NULL prepare_slave_config() callback (git-fixes). o ASoC: dwc-i2s: Handle errors for clk_enable (git-fixes). o ASoC: fsi: Add check for clk_enable (git-fixes). o ASoC: fsl_spdif: Disable TX clock when stop (git-fixes). o ASoC: imx-es8328: Fix error return code in imx_es8328_probe() (git-fixes). o ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe (git-fixes). o ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe (git-fixes). o ASoC: mxs-saif: Handle errors for clk_enable (git-fixes). o ASoC: mxs: Fix error handling in mxs_sgtl5000_probe (git-fixes). o ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp() (git-fixes). o ASoC: SOF: Add missing of_node_put() in imx8m_probe (git-fixes). o ASoC: SOF: topology: remove redundant code (git-fixes). o ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call (git-fixes). o ASoC: ti: davinci-i2s: Add check for clk_enable() (git-fixes). o ASoC: topology: Allow TLV control to be either read or write (git-fixes). o ASoC: topology: Optimize soc_tplg_dapm_graph_elems_load behavior (git-fixes). o ASoC: wm8350: Handle error for wm8350_register_irq (git-fixes). o ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting (git-fixes). o ax25: Fix NULL pointer dereference in ax25_kill_by_device (git-fixes). o ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32 (bsc# 1196018). o block: update io_ticks when io hang (bsc#1197817). o block/wbt: fix negative inflight counter when remove scsi device (bsc# 1197819). o bpf: Fix comment for helper bpf_current_task_under_cgroup() (git-fixes). o bpf: Remove config check to enable bpf support for branch records (git-fixes bsc#1177028). o btrfs: avoid unnecessary lock and leaf splits when updating inode in the log (bsc#1194649). o btrfs: avoid unnecessary log mutex contention when syncing log (bsc# 1194649). o btrfs: avoid unnecessary logging of xattrs during fast fsyncs (bsc# 1194649). o btrfs: check error value from btrfs_update_inode in tree log (bsc#1194649). o btrfs: check if a log root exists before locking the log_mutex on unlink (bsc#1194649). o btrfs: check if a log tree exists at inode_logged() (bsc#1194649). o btrfs: do not commit delayed inode when logging a file in full sync mode (bsc#1194649). o btrfs: do not log new dentries when logging that a new name exists (bsc# 1194649). o btrfs: eliminate some false positives when checking if inode was logged (bsc#1194649). o btrfs: fix race leading to unnecessary transaction commit when logging inode (bsc#1194649). o btrfs: fix race that causes unnecessary logging of ancestor inodes (bsc# 1194649). o btrfs: fix race that makes inode logging fallback to transaction commit (bsc#1194649). o btrfs: fix race that results in logging old extents during a fast fsync (bsc#1194649). o btrfs: fixup error handling in fixup_inode_link_counts (bsc#1194649). o btrfs: remove no longer needed full sync flag check at inode_logged() (bsc# 1194649). o btrfs: Remove unnecessary check from join_running_log_trans (bsc#1194649). o btrfs: remove unnecessary directory inode item update when deleting dir entry (bsc#1194649). o btrfs: remove unnecessary list head initialization when syncing log (bsc# 1194649). o btrfs: skip unnecessary searches for xattrs when logging an inode (bsc# 1194649). o can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path (git-fixes). o can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path (git-fixes). o can: mcba_usb: properly check endpoint type (git-fixes). o can: rcar_canfd: rcar_canfd_channel_probe(): register the CAN device when fully ready (git-fixes). o cifs: do not skip link targets when an I/O fails (bsc#1194625). o cifs: use the correct max-length for dentry_path_raw() (bsc1196196). o clk: actions: Terminate clk_div_table with sentinel element (git-fixes). o clk: bcm2835: Remove unused variable (git-fixes). o clk: clps711x: Terminate clk_div_table with sentinel element (git-fixes). o clk: imx7d: Remove audio_mclk_root_clk (git-fixes). o clk: Initialize orphan req_rate (git-fixes). o clk: loongson1: Terminate clk_div_table with sentinel element (git-fixes). o clk: nxp: Remove unused variable (git-fixes). o clk: qcom: gcc-msm8994: Fix gpll4 width (git-fixes). o clk: qcom: ipq8074: Use floor ops for SDCC1 clock (git-fixes). o clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver (git-fixes). o clk: uniphier: Fix fixed-rate initialization (git-fixes). o clocksource: acpi_pm: fix return value of __setup handler (git-fixes). o clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init() (git-fixes). o cpufreq: schedutil: Destroy mutex before kobject_put() frees (git-fixes) o crypto: authenc - Fix sleep in atomic context in decrypt_tail (git-fixes). o crypto: cavium/nitrox - do not cast parameter in bit operations (git-fixes). o crypto: ccp - ccp_dmaengine_unregister release dma channels (git-fixes). o crypto: ccree - do not attempt 0 len DMA mappings (git-fixes). o crypto: mxs-dcp - Fix scatterlist processing (git-fixes). o crypto: qat - do not cast parameter in bit operations (git-fixes). o crypto: rsa-pkcs1pad - correctly get hash from source scatterlist (git-fixes). o crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() (git-fixes). o crypto: rsa-pkcs1pad - restore signature length check (git-fixes). o crypto: vmx - add missing dependencies (git-fixes). o dma/pool: create dma atomic pool only if dma zone has managed pages (bsc# 1197501). o driver core: dd: fix return value of __setup handler (git-fixes). o drm: bridge: adv7511: Fix ADV7535 HPD enablement (git-fixes). o drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug (git-fixes). o drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function (git-fixes). o drm/bridge: dw-hdmi: use safe format when first in bridge chain (git-fixes). o drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe (git-fixes). o drm/doc: overview before functions for drm_writeback.c (git-fixes). o drm/i915: Fix dbuf slice config lookup (git-fixes). o drm/i915/gem: add missing boundary check in vm_access (git-fixes). o drm/imx: parallel-display: Remove bus flags check in imx_pd_bridge_atomic_check() (git-fixes). o drm/meson: Fix error handling when afbcd.ops->init fails (git-fixes). o drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops (git-fixes). o drm/msm/dpu: add DSPP blocks teardown (git-fixes). o drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl() (git-fixes). o drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings (git-fixes). o drm/sun4i: mixer: Fix P010 and P210 format numbers (git-fixes). o drm/vc4: crtc: Fix runtime_pm reference counting (git-fixes). o drm/vc4: crtc: Make sure the HDMI controller is powered when disabling (git-fixes). o drm/vrr: Set VRR capable prop only if it is attached to connector (git-fixes). o Drop HID multitouch fix patch (bsc#1197243), o ecryptfs: fix kernel panic with null dev_name (bsc#1197812). o ecryptfs: Fix typo in message (bsc#1197811). o EDAC: Fix calculation of returned address and next offset in edac_align_ptr () (bsc#1178134). o ext2: correct max file size computing (bsc#1197820). o firmware: google: Properly state IOMEM dependency (git-fixes). o firmware: qcom: scm: Remove reassignment to desc following initializer (git-fixes). o fscrypt: do not ignore minor_hash when hash is 0 (bsc#1197815). o gianfar: ethtool: Fix refcount leak in gfar_get_ts_info (git-fixes). o gpio: ts4900: Do not set DAT and OE together (git-fixes). o gpiolib: acpi: Convert ACPI value of debounce to microseconds (git-fixes). o HID: multitouch: fix Dell Precision 7550 and 7750 button type (bsc# 1197243). o hwmon: (pmbus) Add mutex to regulator ops (git-fixes). o hwmon: (pmbus) Add Vin unit off handling (git-fixes). o hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING (git-fixes). o hwrng: atmel - disable trng on failure path (git-fixes). o i915_vma: Rename vma_lookup to i915_vma_lookup (git-fixes). o ibmvnic: fix race between xmit and reset (bsc#1197302 ltc#197259). o iio: accel: mma8452: use the correct logic to get mma8452_data (git-fixes). o iio: adc: Add check for devm_request_threaded_irq (git-fixes). o iio: afe: rescale: use s64 for temporary scale calculations (git-fixes). o iio: inkern: apply consumer scale on IIO_VAL_INT cases (git-fixes). o iio: inkern: apply consumer scale when no channel scale is available (git-fixes). o iio: inkern: make a best effort on offset calculation (git-fixes). o Input: aiptek - properly check endpoint type (git-fixes). o iwlwifi: do not advertise TWT support (git-fixes). o kernel-binary.spec: Do not use the default certificate path (bsc#1194943). o KVM: SVM: Do not flush cache if hardware enforces cache coherency across encryption domains (bsc#1178134). o llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes). o mac80211: fix potential double free on mesh join (git-fixes). o mac80211: refuse aggregations sessions before authorized (git-fixes). o media: aspeed: Correct value for h-total-pixels (git-fixes). o media: bttv: fix WARNING regression on tunerless devices (git-fixes). o media: coda: Fix missing put_device() call in coda_get_vdoa_data (git-fixes). o media: davinci: vpif: fix unbalanced runtime PM get (git-fixes). o media: em28xx: initialize refcount before kref_get (git-fixes). o media: hantro: Fix overfill bottom register field name (git-fixes). o media: Revert "media: em28xx: add missing em28xx_close_extension" (git-fixes). o media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED (git-fixes). o media: usb: go7007: s2250-board: fix leak in probe() (git-fixes). o media: video/hdmi: handle short reads of hdmi info frame (git-fixes). o membarrier: Execute SYNC_CORE on the calling thread (git-fixes) o membarrier: Explicitly sync remote cores when SYNC_CORE is (git-fixes) o memory: emif: Add check for setup_interrupts (git-fixes). o memory: emif: check the pointer temp in get_device_details() (git-fixes). o misc: alcor_pci: Fix an error handling path (git-fixes). o misc: sgi-gru: Do not cast parameter in bit operations (git-fixes). o mm_zone: add function to check if managed dma zone exists (bsc#1197501). o mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed pages (bsc#1197501). o mmc: davinci_mmc: Handle error for clk_enable (git-fixes). o mmc: meson: Fix usage of meson_mmc_post_req() (git-fixes). o net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add (git-fixes). o net: enetc: initialize the RFS and RSS memories (git-fixes). o net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx() (git-fixes). o net: phy: broadcom: Fix brcm_fet_config_init() (git-fixes). o net: phy: DP83822: clear MISR2 register to disable interrupts (git-fixes). o net: phy: marvell: Fix invalid comparison in the resume and suspend functions (git-fixes). o net: stmmac: set TxQ mode back to DCB after disabling CBS (git-fixes). o net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (bsc# 1196018). o net: watchdog: hold device global xmit lock during tx disable (git-fixes). o net/smc: Fix loop in smc_listen (git-fixes). o net/smc: fix using of uninitialized completions (git-fixes). o net/smc: fix wrong list_del in smc_lgr_cleanup_early (git-fixes). o net/smc: Make sure the link_id is unique (git-fixes). o net/smc: Reset conn->lgr when link group registration fails (git-fixes). o netfilter: conntrack: do not refresh sctp entries in closed state (bsc# 1197389). o netxen_nic: fix MSI/MSI-x interrupts (git-fixes). o NFC: port100: fix use-after-free in port100_send_complete (git-fixes). o NFS: Avoid duplicate uncached readdir calls on eof (git-fixes). o NFS: Do not report writeback errors in nfs_getattr() (git-fixes). o NFS: Do not skip directory entries when doing uncached readdir (git-fixes). o NFS: Ensure the server had an up to date ctime before hardlinking (git-fixes). o NFS: Fix initialisation of nfs_client cl_flags field (git-fixes). o NFS: LOOKUP_DIRECTORY is also ok with symlinks (git-fixes). o NFS: Return valid errors from nfs2/3_decode_dirent() (git-fixes). o NFS: Use of mapping_set_error() results in spurious errors (git-fixes). o nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client (git-fixes). o NFSv4.1: do not retry BIND_CONN_TO_SESSION on session error (git-fixes). o NFSv4/pNFS: Fix another issue with a list iterator pointing to the head (git-fixes). o pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init (git-fixes). o pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get () (git-fixes). o pinctrl: mediatek: paris: Fix pingroup pin config state readback (git-fixes). o pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe (git-fixes). o pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR() (git-fixes). o pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE() (git-fixes). o pinctrl: pinconf-generic: Print arguments for bias-pull-* (git-fixes). o pinctrl: samsung: drop pin banks references on error paths (git-fixes). o pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe (git-fixes). o PM: hibernate: fix __setup handler error handling (git-fixes). o PM: suspend: fix return value of __setup handler (git-fixes). o powerpc/lib/sstep: Fix 'sthcx' instruction (bsc#1156395). o powerpc/mm: Fix verification of MMU_FTR_TYPE_44x (bsc#1156395). o powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties() (bsc #1179639 ltc#189002 git-fixes). o powerpc/perf: Do not use perf_hw_context for trace IMC PMU (bsc#1156395). o powerpc/perf: Expose Performance Monitor Counter SPR's as part of extended regs (bsc#1198077 ltc#197299). o powerpc/perf: Include PMCs as part of per-cpu cpuhw_events struct (bsc# 1198077 ltc#197299). o powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729). o powerpc/sysdev: fix incorrect use to determine if list is empty (bsc# 1065729). o powerpc/tm: Fix more userspace r13 corruption (bsc#1065729). o powerpc/xive: fix return value of __setup handler (bsc#1065729). o printk: Add panic_in_progress helper (bsc#1197894). o printk: disable optimistic spin during panic (bsc#1197894). o pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() (git-fixes). o regulator: qcom_smd: fix for_each_child.cocci warnings (git-fixes). o remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region (git-fixes). o remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region (git-fixes). o Revert "build initrd without systemd" (bsc#1197300). o Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" (bsc#1197243). o Revert "module, async: async_synchronize_full() on module init iff async is used" (bsc#1197888). o Revert "Revert "build initrd without systemd" (bsc#1197300)" o Revert "usb: dwc3: gadget: Use list_replace_init() before traversing lists" (git-fixes). o s390/bpf: Perform r1 range checking before accessing jit->seen_reg (git-fixes). o s390/gmap: do not unconditionally call pte_unmap_unlock() in __gmap_zap() (git-fixes). o s390/gmap: validate VMA in __gmap_zap() (git-fixes). o s390/hypfs: include z/VM guests with access control group set (bsc#1195640 LTC#196352). o s390/kexec_file: fix error handling when applying relocations (git-fixes). o s390/kexec: fix memory leak of ipl report buffer (git-fixes). o s390/kexec: fix return code handling (git-fixes). o s390/mm: fix VMA and page table handling code in storage key handling functions (git-fixes). o s390/mm: validate VMA in PGSTE manipulation functions (git-fixes). o s390/module: fix loading modules with a lot of relocations (git-fixes). o s390/pci_mmio: fully validate the VMA before calling follow_pte() (git-fixes). o s390/tape: fix timer initialization in tape_std_assign() (bsc#1197677 LTC# 197378). o scsi: lpfc: Copyright updates for 14.2.0.0 patches (bsc#1197675). o scsi: lpfc: Drop lpfc_no_handler() (bsc#1197675). o scsi: lpfc: Fix broken SLI4 abort path (bsc#1197675). o scsi: lpfc: Fix locking for lpfc_sli_iocbq_lookup() (bsc#1197675). o scsi: lpfc: Fix queue failures when recovering from PCI parity error (bsc# 1197675 bsc#1196478). o scsi: lpfc: Fix typos in comments (bsc#1197675). o scsi: lpfc: Fix unload hang after back to back PCI EEH faults (bsc#1197675 bsc#1196478). o scsi: lpfc: Improve PCI EEH Error and Recovery Handling (bsc#1197675 bsc# 1196478). o scsi: lpfc: Kill lpfc_bus_reset_handler() (bsc#1197675). o scsi: lpfc: Reduce log messages seen after firmware download (bsc#1197675). o scsi: lpfc: Remove failing soft_wwn support (bsc#1197675). o scsi: lpfc: Remove NVMe support if kernel has NVME_FC disabled (bsc# 1197675). o scsi: lpfc: Remove redundant flush_workqueue() call (bsc#1197675). o scsi: lpfc: SLI path split: Introduce lpfc_prep_wqe (bsc#1197675). o scsi: lpfc: SLI path split: Refactor Abort paths (bsc#1197675). o scsi: lpfc: SLI path split: Refactor base ELS paths and the FLOGI path (bsc #1197675). o scsi: lpfc: SLI path split: Refactor BSG paths (bsc#1197675). o scsi: lpfc: SLI path split: Refactor CT paths (bsc#1197675). o scsi: lpfc: SLI path split: Refactor fast and slow paths to native SLI4 (bsc#1197675). o scsi: lpfc: SLI path split: Refactor FDISC paths (bsc#1197675). o scsi: lpfc: SLI path split: Refactor lpfc_iocbq (bsc#1197675). o scsi: lpfc: SLI path split: Refactor LS_ACC paths (bsc#1197675). o scsi: lpfc: SLI path split: Refactor LS_RJT paths (bsc#1197675). o scsi: lpfc: SLI path split: Refactor misc ELS paths (bsc#1197675). o scsi: lpfc: SLI path split: Refactor PLOGI/PRLI/ADISC/LOGO paths (bsc# 1197675). o scsi: lpfc: SLI path split: Refactor SCSI paths (bsc#1197675). o scsi: lpfc: SLI path split: Refactor the RSCN/SCR/RDF/EDC/FARPR paths (bsc# 1197675). o scsi: lpfc: SLI path split: Refactor VMID paths (bsc#1197675). o scsi: lpfc: Update lpfc version to 14.2.0.0 (bsc#1197675). o scsi: lpfc: Update lpfc version to 14.2.0.1 (bsc#1197675). o scsi: lpfc: Use fc_block_rport() (bsc#1197675). o scsi: lpfc: Use kcalloc() (bsc#1197675). o scsi: lpfc: Use rport as argument for lpfc_chk_tgt_mapped() (bsc#1197675). o scsi: lpfc: Use rport as argument for lpfc_send_taskmgmt() (bsc#1197675). o scsi: qla2xxx: Fix crash during module load unload test (bsc#1197661). o scsi: qla2xxx: Fix disk failure to rediscover (bsc#1197661). o scsi: qla2xxx: Fix hang due to session stuck (bsc#1197661). o scsi: qla2xxx: Fix incorrect reporting of task management failure (bsc# 1197661). o scsi: qla2xxx: Fix laggy FC remote port session recovery (bsc#1197661). o scsi: qla2xxx: Fix loss of NVMe namespaces after driver reload test (bsc# 1197661). o scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests (bsc#1197661). o scsi: qla2xxx: Fix N2N inconsistent PLOGI (bsc#1197661). o scsi: qla2xxx: Fix stuck session of PRLI reject (bsc#1197661). o scsi: qla2xxx: Fix typos in comments (bsc#1197661). o scsi: qla2xxx: Increase max limit of ql2xnvme_queues (bsc#1197661). o scsi: qla2xxx: Reduce false trigger to login (bsc#1197661). o scsi: qla2xxx: Stop using the SCSI pointer (bsc#1197661). o scsi: qla2xxx: Update version to 10.02.07.400-k (bsc#1197661). o scsi: qla2xxx: Use correct feature type field during RFF_ID processing (bsc #1197661). o scsi: qla2xxx: Use named initializers for port_state_str (bsc#1197661). o scsi: qla2xxx: Use named initializers for q_dev_state (bsc#1197661). o serial: 8250_lpss: Balance reference count for PCI DMA device (git-fixes). o serial: 8250_mid: Balance reference count for PCI DMA device (git-fixes). o serial: 8250: Fix race condition in RTS-after-send handling (git-fixes). o serial: core: Fix the definition name in the comment of UPF_* flags (git-fixes). o soc: qcom: aoss: remove spurious IRQF_ONESHOT flags (git-fixes). o soc: qcom: rpmpd: Check for null return of devm_kcalloc (git-fixes). o soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe (git-fixes). o soundwire: intel: fix wrong register name in intel_shim_wake (git-fixes). o spi: pxa2xx-pci: Balance reference count for PCI DMA device (git-fixes). o spi: tegra114: Add missing IRQ check in tegra_spi_probe (git-fixes). o staging: gdm724x: fix use after free in gdm_lte_rx() (git-fixes). o staging:iio:adc:ad7280a: Fix handing of device address bit reversing (git-fixes). o tcp: add some entropy in __inet_hash_connect() (bsc#1180153). o tcp: change source port randomizarion at connect() time (bsc#1180153). o team: protect features update by RCU to avoid deadlock (git-fixes). o thermal: int340x: Check for NULL after calling kmemdup() (git-fixes). o thermal: int340x: Increase bitmap size (git-fixes). o udp_tunnel: Fix end of loop test in udp_tunnel_nic_unregister() (git-fixes). o Update config files (bsc#1195926 bsc#1175667). VIRTIO_PCI=m -> VIRTIO_PCI=y o usb: bdc: Adb shows offline after resuming from S2 (git-fixes). o usb: bdc: Fix a resource leak in the error handling path of 'bdc_probe()' (git-fixes). o usb: bdc: Fix unused assignment in bdc_probe() (git-fixes). o usb: bdc: remove duplicated error message (git-fixes). o usb: bdc: Use devm_clk_get_optional() (git-fixes). o usb: bdc: use devm_platform_ioremap_resource() to simplify code (git-fixes). o usb: dwc2: Fix Stalling a Non-Isochronous OUT EP (git-fixes). o usb: dwc2: gadget: Fix GOUTNAK flow for Slave mode (git-fixes). o usb: dwc2: gadget: Fix kill_all_requests race (git-fixes). o usb: dwc3: gadget: Use list_replace_init() before traversing lists (git-fixes). o usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe (git-fixes). o usb: dwc3: qcom: add IRQ check (git-fixes). o usb: gadget: bdc: use readl_poll_timeout() to simplify code (git-fixes). o usb: gadget: Fix use-after-free bug by not setting udc->dev.driver (git-fixes). o usb: gadget: rndis: prevent integer overflow in rndis_set_response() (git-fixes). o usb: host: xen-hcd: add missing unlock in error path (git-fixes). o usb: hub: Fix locking issues with address0_mutex (git-fixes). o usb: usbtmc: Fix bug in pipe direction for control transfers (git-fixes). o VFS: filename_create(): fix incorrect intent (bsc#1197534). o video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() (git-fixes). o video: fbdev: controlfb: Fix COMPILE_TEST build (git-fixes). o video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() (git-fixes). o video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen (git-fixes). o video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen (git-fixes). o video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of (git-fixes). o video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() (git-fixes). o VMCI: Fix the description of vmci_check_host_caps() (git-fixes). o vsprintf: Fix %pK with kptr_restrict == 0 (bsc#1197889). o wireguard: queueing: use CFI-safe ptr_ring cleanup function (git-fixes). o wireguard: selftests: rename DEBUG_PI_LIST to DEBUG_PLIST (git-fixes). o wireguard: socket: free skb in send6 when ipv6 is disabled (git-fixes). o wireguard: socket: ignore v6 endpoints when ipv6 is disabled (git-fixes). o x86/cpu: Add hardware-enforced cache coherency as a CPUID feature (bsc# 1178134). o x86/mm/pat: Do not flush cache if hardware enforces cache coherency across encryption domnains (bsc#1178134). o x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT (bsc# 1178134). o x86/speculation: Warn about Spectre v2 LFENCE mitigation (bsc#1178134). o xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done() (bsc#1196488, XSA-396). o xhci: fix garbage USBSTS being logged in some cases (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1163=1 o SUSE Linux Enterprise Module for Public Cloud 15-SP3: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2022-1163=1 Package List: o openSUSE Leap 15.3 (noarch): kernel-devel-azure-5.3.18-150300.38.53.1 kernel-source-azure-5.3.18-150300.38.53.1 o openSUSE Leap 15.3 (x86_64): cluster-md-kmp-azure-5.3.18-150300.38.53.1 cluster-md-kmp-azure-debuginfo-5.3.18-150300.38.53.1 dlm-kmp-azure-5.3.18-150300.38.53.1 dlm-kmp-azure-debuginfo-5.3.18-150300.38.53.1 gfs2-kmp-azure-5.3.18-150300.38.53.1 gfs2-kmp-azure-debuginfo-5.3.18-150300.38.53.1 kernel-azure-5.3.18-150300.38.53.1 kernel-azure-debuginfo-5.3.18-150300.38.53.1 kernel-azure-debugsource-5.3.18-150300.38.53.1 kernel-azure-devel-5.3.18-150300.38.53.1 kernel-azure-devel-debuginfo-5.3.18-150300.38.53.1 kernel-azure-extra-5.3.18-150300.38.53.1 kernel-azure-extra-debuginfo-5.3.18-150300.38.53.1 kernel-azure-livepatch-devel-5.3.18-150300.38.53.1 kernel-azure-optional-5.3.18-150300.38.53.1 kernel-azure-optional-debuginfo-5.3.18-150300.38.53.1 kernel-syms-azure-5.3.18-150300.38.53.1 kselftests-kmp-azure-5.3.18-150300.38.53.1 kselftests-kmp-azure-debuginfo-5.3.18-150300.38.53.1 ocfs2-kmp-azure-5.3.18-150300.38.53.1 ocfs2-kmp-azure-debuginfo-5.3.18-150300.38.53.1 reiserfs-kmp-azure-5.3.18-150300.38.53.1 reiserfs-kmp-azure-debuginfo-5.3.18-150300.38.53.1 o SUSE Linux Enterprise Module for Public Cloud 15-SP3 (noarch): kernel-devel-azure-5.3.18-150300.38.53.1 kernel-source-azure-5.3.18-150300.38.53.1 o SUSE Linux Enterprise Module for Public Cloud 15-SP3 (x86_64): kernel-azure-5.3.18-150300.38.53.1 kernel-azure-debuginfo-5.3.18-150300.38.53.1 kernel-azure-debugsource-5.3.18-150300.38.53.1 kernel-azure-devel-5.3.18-150300.38.53.1 kernel-azure-devel-debuginfo-5.3.18-150300.38.53.1 kernel-syms-azure-5.3.18-150300.38.53.1 References: o https://www.suse.com/security/cve/CVE-2021-39698.html o https://www.suse.com/security/cve/CVE-2021-45402.html o https://www.suse.com/security/cve/CVE-2021-45868.html o https://www.suse.com/security/cve/CVE-2022-0850.html o https://www.suse.com/security/cve/CVE-2022-0854.html o https://www.suse.com/security/cve/CVE-2022-1011.html o https://www.suse.com/security/cve/CVE-2022-1016.html o https://www.suse.com/security/cve/CVE-2022-1048.html o https://www.suse.com/security/cve/CVE-2022-1055.html o https://www.suse.com/security/cve/CVE-2022-1195.html o https://www.suse.com/security/cve/CVE-2022-1198.html o https://www.suse.com/security/cve/CVE-2022-1199.html o https://www.suse.com/security/cve/CVE-2022-1205.html o https://www.suse.com/security/cve/CVE-2022-23036.html o https://www.suse.com/security/cve/CVE-2022-23037.html o https://www.suse.com/security/cve/CVE-2022-23038.html o https://www.suse.com/security/cve/CVE-2022-23039.html o https://www.suse.com/security/cve/CVE-2022-23040.html o https://www.suse.com/security/cve/CVE-2022-23041.html o https://www.suse.com/security/cve/CVE-2022-23042.html o https://www.suse.com/security/cve/CVE-2022-27223.html o https://www.suse.com/security/cve/CVE-2022-27666.html o https://www.suse.com/security/cve/CVE-2022-28388.html o https://www.suse.com/security/cve/CVE-2022-28389.html o https://www.suse.com/security/cve/CVE-2022-28390.html o https://bugzilla.suse.com/1065729 o https://bugzilla.suse.com/1156395 o https://bugzilla.suse.com/1175667 o https://bugzilla.suse.com/1177028 o https://bugzilla.suse.com/1178134 o https://bugzilla.suse.com/1179639 o https://bugzilla.suse.com/1180153 o https://bugzilla.suse.com/1189562 o https://bugzilla.suse.com/1194589 o https://bugzilla.suse.com/1194625 o https://bugzilla.suse.com/1194649 o https://bugzilla.suse.com/1194943 o https://bugzilla.suse.com/1195051 o https://bugzilla.suse.com/1195353 o https://bugzilla.suse.com/1195640 o https://bugzilla.suse.com/1195926 o https://bugzilla.suse.com/1196018 o https://bugzilla.suse.com/1196130 o https://bugzilla.suse.com/1196196 o https://bugzilla.suse.com/1196478 o https://bugzilla.suse.com/1196488 o https://bugzilla.suse.com/1196761 o https://bugzilla.suse.com/1196823 o https://bugzilla.suse.com/1196956 o https://bugzilla.suse.com/1197227 o https://bugzilla.suse.com/1197243 o https://bugzilla.suse.com/1197245 o https://bugzilla.suse.com/1197300 o https://bugzilla.suse.com/1197302 o https://bugzilla.suse.com/1197331 o https://bugzilla.suse.com/1197343 o https://bugzilla.suse.com/1197366 o https://bugzilla.suse.com/1197389 o https://bugzilla.suse.com/1197460 o https://bugzilla.suse.com/1197462 o https://bugzilla.suse.com/1197501 o https://bugzilla.suse.com/1197534 o https://bugzilla.suse.com/1197661 o https://bugzilla.suse.com/1197675 o https://bugzilla.suse.com/1197677 o https://bugzilla.suse.com/1197702 o https://bugzilla.suse.com/1197811 o https://bugzilla.suse.com/1197812 o https://bugzilla.suse.com/1197815 o https://bugzilla.suse.com/1197817 o https://bugzilla.suse.com/1197819 o https://bugzilla.suse.com/1197820 o https://bugzilla.suse.com/1197888 o https://bugzilla.suse.com/1197889 o https://bugzilla.suse.com/1197894 o https://bugzilla.suse.com/1198027 o https://bugzilla.suse.com/1198028 o https://bugzilla.suse.com/1198029 o https://bugzilla.suse.com/1198030 o https://bugzilla.suse.com/1198031 o https://bugzilla.suse.com/1198032 o https://bugzilla.suse.com/1198033 o https://bugzilla.suse.com/1198077 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYV/ONLKJtyKPYoAQhdeA//UHUB3BwVq7fpaE6Ww+XlmsQVg96oQ5mc ltuX8ZSmWj9gWHW66QVDOmo4KsRmvwfExdWL7NMLHauBkh+0MSuUjUL7ndxATA1t 44QRypF2KHGANHxj7MH7P3PeVwhfdfkaqhDoFuSiqjs9ylNCBFEfbvOIb+NSZnz+ HP2Fk3oPNvjyTvrxVYSoJuEBBrnfOuczui8VmM0FN/dUCdX5Ul34Qea2nLuE45FF vY7RGVLX5UAwVErfVbZbcLFuA7hw14ryX5zSwkpiAJKHRhfwFgTRgkTkQEg42Kh4 /cNGdldMGdpQM7XECljw2yNWuTXyBFtbKAU8mKJkIHQizCaqniMW3kYDby23eQmQ ejeYhRZ+kJTYrnmqrNx/nXFnTY8FtFOID6fmLzQktzXP7n2u/ric9AS5fwbE17/f 85DoAq8gvHi3P/GJwo97ks7U3kw3xIzdB9rjFP7NJQTRWilGk/TtvQfE+ZR3Wa3t hRCsMxWinGnwfQ2W4Hx1d+SddOjHNf1XV4n73HJv5g5+OjnK5oVD0IKrjpfeq/QP MIsh4zxaWqC9LARHuaMuBYVnFQHEpMmrlgFp/1M82osHE21c/f32owv4bot+Zzio LeaRIIE8gzLvoB3HQTaFRvIMepRZCwGuZ/ITZpUcTBnsUXDuk+4I5+xwfB6cNeN2 M30Gr180JQM= =kkEP -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1588 - [SUSE] subversion: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1588 Security update for subversion 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: subversion Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-24070 CVE-2021-28544 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221161-1 Comment: CVSS (Max): 7.5 CVE-2022-24070 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for subversion ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1161-1 Rating: important References: #1197939 #1197940 Cross-References: CVE-2021-28544 CVE-2022-24070 Affected Products: SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Enterprise Storage 7 SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise Realtime Extension 15-SP2 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for subversion fixes the following issues: o CVE-2022-24070: Fixed a memory corruption issue in mod_dav_svn as used by Apache HTTP server. This could be exploited by a remote attacker to cause a denegation of service (bsc#1197940). o CVE-2021-28544: Fixed an information leak issue where Subversion servers may reveal the original path of files protected by path-based authorization (bsc#1197939). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1161=1 o SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1161=1 o SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1161=1 o SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1161=1 o SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1161=1 o SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-1161=1 o SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1161=1 o SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1161=1 o SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1161=1 o SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1161=1 o SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2022-1161=1 o SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1161=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1161=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1161=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1161=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1161=1 o SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1161=1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1161=1 o SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-1161=1 o SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2022-1161=1 o SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. I will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: o SUSE Manager Server 4.1 (ppc64le s390x x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Manager Server 4.1 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Manager Retail Branch Server 4.1 (x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Manager Retail Branch Server 4.1 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Manager Proxy 4.1 (x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Manager Proxy 4.1 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server for SAP 15 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-SP2-BCL (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-SP1-BCL (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Server 15-LTSS (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise Realtime Extension 15-SP2 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Enterprise Storage 7 (aarch64 x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Enterprise Storage 7 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE Enterprise Storage 6 (aarch64 x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE Enterprise Storage 6 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 o SUSE CaaS Platform 4.0 (x86_64): subversion-1.10.6-150000.3.21.1 subversion-debuginfo-1.10.6-150000.3.21.1 subversion-debugsource-1.10.6-150000.3.21.1 subversion-devel-1.10.6-150000.3.21.1 subversion-perl-1.10.6-150000.3.21.1 subversion-perl-debuginfo-1.10.6-150000.3.21.1 subversion-python-1.10.6-150000.3.21.1 subversion-python-debuginfo-1.10.6-150000.3.21.1 subversion-server-1.10.6-150000.3.21.1 subversion-server-debuginfo-1.10.6-150000.3.21.1 subversion-tools-1.10.6-150000.3.21.1 subversion-tools-debuginfo-1.10.6-150000.3.21.1 o SUSE CaaS Platform 4.0 (noarch): subversion-bash-completion-1.10.6-150000.3.21.1 References: o https://www.suse.com/security/cve/CVE-2021-28544.html o https://www.suse.com/security/cve/CVE-2022-24070.html o https://bugzilla.suse.com/1197939 o https://bugzilla.suse.com/1197940 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYV8+NLKJtyKPYoAQip3w//XJxsPPKAiK9ISttAxWp5Rv+bwrOsjBH7 G1MdECU4SgNvXkrgbgf5aCi1jJrO5rHzF0c7RYaokl8F/h15GaEjQ29D4F0+5qEC rXxUaZErmvJecTQrTcfeBpmzuuIIeUsM+qYlVn2Fc4D6oo7uos3pO1uWQP2JJBcm ZsIJyivn18uged22FptMNANTRlw11dGUYUFThjAgUbEV/rkT6K5+AhQuNrWizGsx CB+fOqSwDQNcK4R+zQJQHCa7pdJJiDtU5qsuIu08FZ1NuarzMKGyAuj7DyPryNDs J7GmiWw+0akePJhCFRt6y1wdpLH2vYRMJwNWOOcZC+QPmAnwUG9nyu5YtyNC8rbR M1/0BPxW7SU5MVXno9wY+9fQ3ZvkbW0R6IIDQyfQ2jWon9jBA1hJeNcErD2fy4/u I7FPxme6FSqHyPOjgSlka3TkW1vgOojC6DElhQWzfGsPXqgQuZCn4wsIZ7nFHfUP jiPctaoWfjFGcA+HDFA99Q970nXol6NkNZJAlNR9niuuG9+zr0BKplEj3/eBzCrT Yi84XgidViiEs/Ld0B3v2/lhOIrvzBpBoQ8nVFDMc4ksWnY/rKUOT/ooTt7/pCtH JiOl+g4S0/Dl+KxWg+GqTw34IMVw6ESVlyLfDQCOlB6praWdUjInmjCuMq1B4bO6 RVCIsoUG+Hw= =n3yt -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1587 - [SUSE] subversion: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1587 Security update for subversion 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: subversion Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-24070 CVE-2021-28544 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221162-1 Comment: CVSS (Max): 7.5 CVE-2022-24070 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for subversion ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1162-1 Rating: important References: #1197939 #1197940 Cross-References: CVE-2021-28544 CVE-2022-24070 Affected Products: SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Manager Proxy 4.2 SUSE Manager Server 4.2 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for subversion fixes the following issues: o CVE-2022-24070: Fixed a memory corruption issue in mod_dav_svn as used by Apache HTTP server. This could be exploited by a remote attacker to cause a denial of service (bsc#1197940). o CVE-2021-28544: Fixed an information leak issue where Subversion servers may reveal the original path of files protected by path-based authorization (bsc#1197939). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-1162=1 o openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1162=1 o SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-1162=1 o SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1162=1 o SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1162=1 Package List: o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): subversion-python-ctypes-1.10.6-150300.10.8.1 o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): libsvn_auth_gnome_keyring-1-0-1.10.6-150300.10.8.1 libsvn_auth_gnome_keyring-1-0-debuginfo-1.10.6-150300.10.8.1 libsvn_auth_kwallet-1-0-1.10.6-150300.10.8.1 libsvn_auth_kwallet-1-0-debuginfo-1.10.6-150300.10.8.1 subversion-1.10.6-150300.10.8.1 subversion-debuginfo-1.10.6-150300.10.8.1 subversion-debugsource-1.10.6-150300.10.8.1 subversion-devel-1.10.6-150300.10.8.1 subversion-perl-1.10.6-150300.10.8.1 subversion-perl-debuginfo-1.10.6-150300.10.8.1 subversion-python-1.10.6-150300.10.8.1 subversion-python-ctypes-1.10.6-150300.10.8.1 subversion-python-debuginfo-1.10.6-150300.10.8.1 subversion-ruby-1.10.6-150300.10.8.1 subversion-ruby-debuginfo-1.10.6-150300.10.8.1 subversion-server-1.10.6-150300.10.8.1 subversion-server-debuginfo-1.10.6-150300.10.8.1 subversion-tools-1.10.6-150300.10.8.1 subversion-tools-debuginfo-1.10.6-150300.10.8.1 o openSUSE Leap 15.3 (noarch): subversion-bash-completion-1.10.6-150300.10.8.1 o SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): subversion-debuginfo-1.10.6-150300.10.8.1 subversion-debugsource-1.10.6-150300.10.8.1 subversion-server-1.10.6-150300.10.8.1 subversion-server-debuginfo-1.10.6-150300.10.8.1 o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): subversion-debuginfo-1.10.6-150300.10.8.1 subversion-debugsource-1.10.6-150300.10.8.1 subversion-perl-1.10.6-150300.10.8.1 subversion-perl-debuginfo-1.10.6-150300.10.8.1 subversion-python-1.10.6-150300.10.8.1 subversion-python-debuginfo-1.10.6-150300.10.8.1 subversion-tools-1.10.6-150300.10.8.1 subversion-tools-debuginfo-1.10.6-150300.10.8.1 o SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): subversion-bash-completion-1.10.6-150300.10.8.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): subversion-1.10.6-150300.10.8.1 subversion-debuginfo-1.10.6-150300.10.8.1 subversion-debugsource-1.10.6-150300.10.8.1 subversion-devel-1.10.6-150300.10.8.1 References: o https://www.suse.com/security/cve/CVE-2021-28544.html o https://www.suse.com/security/cve/CVE-2022-24070.html o https://bugzilla.suse.com/1197939 o https://bugzilla.suse.com/1197940 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYV6ONLKJtyKPYoAQgVQxAAjxMoa+Rclu3HWws2wFvfvG/dRNHj8Doq Ijsqv5E/Z9uM+Y2H1KGxPpqYN26Ky92KyF9qg8BG2bmLdLOtyufEJHUK74xp/zXF 2mXSr3mGi6h3A9KDV55LAEOkj1cLWrQTlH8btazwFoD4EifbuXkFhdmixQg2WTfg 0BZlM6XyjmbdiqtNePef+wxFYcxDjC9MJLOVXju7tGM1gEwyxc11z2pHzYQ9arHy yRIaxbwfWcLrlJtTZa1ysVrCe2JjCWzJLmi1/k0ZjPhwNkm0Ojrv3St0kL+ySKmy ucs53Wrh2uf8iNq/mYUgk15fk+FeFfJNU1XL1SsyUypJ+aKJyxlDguBYnZOVURAP mrZ7S4AgDwuOfHm7huXpjZ+UKj8ldAbm+2OsiWOYGlXLxWrQrLx3ZIlLbIv9nqT2 jscopM1vbgRmDGABTdRFwoVM7Dlev/5Hv4niHb3SEOIIXuM/yOooGbpPKNmVEEQY 0dTBoEBNRZno8qnphur6QtO+GZxrwLFMAA4W/mAUCFUssoEA6Ru3r/DqzRJMJb1w GxkxtwcLfb0+VjAXrjJJ2TKZc5LL6bnsypSMOmQbiCuCnw4Gtke2flxeANTEC0gl cpLo2JMg37LbFbVjFTboCt9wTcjtBG9F+ttWHRrMQ/5PRqifWXlgigF9oxrqpnCE +eEgK2De90w= =8GS4 -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1586 - [SUSE] qemu: CVSS (Max): 3.2

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1586 Security update for qemu 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qemu Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2021-20196 CVE-2021-3930 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221151-1 Comment: CVSS (Max): 3.2 CVE-2021-3930 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1151-1 Rating: moderate References: #1181361 #1187529 #1192463 #1192525 #1196737 Cross-References: CVE-2021-20196 CVE-2021-3930 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: This update for qemu fixes the following issues: o CVE-2021-20196: Fixed a denial of service in the floppy disk emulator (bsc# 1181361). o CVE-2021-3930: Fixed a potential denial of service in the emulated SCSI device (bsc#1192525). Non-security fixes: o Fixed a kernel data corruption via a long kernel boot cmdline (bsc# 1196737). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-1151=1 Package List: o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-63.4 qemu-audio-alsa-3.1.1.1-63.4 qemu-audio-alsa-debuginfo-3.1.1.1-63.4 qemu-audio-oss-3.1.1.1-63.4 qemu-audio-oss-debuginfo-3.1.1.1-63.4 qemu-audio-pa-3.1.1.1-63.4 qemu-audio-pa-debuginfo-3.1.1.1-63.4 qemu-audio-sdl-3.1.1.1-63.4 qemu-audio-sdl-debuginfo-3.1.1.1-63.4 qemu-block-curl-3.1.1.1-63.4 qemu-block-curl-debuginfo-3.1.1.1-63.4 qemu-block-iscsi-3.1.1.1-63.4 qemu-block-iscsi-debuginfo-3.1.1.1-63.4 qemu-block-ssh-3.1.1.1-63.4 qemu-block-ssh-debuginfo-3.1.1.1-63.4 qemu-debugsource-3.1.1.1-63.4 qemu-guest-agent-3.1.1.1-63.4 qemu-guest-agent-debuginfo-3.1.1.1-63.4 qemu-lang-3.1.1.1-63.4 qemu-tools-3.1.1.1-63.4 qemu-tools-debuginfo-3.1.1.1-63.4 qemu-ui-curses-3.1.1.1-63.4 qemu-ui-curses-debuginfo-3.1.1.1-63.4 qemu-ui-gtk-3.1.1.1-63.4 qemu-ui-gtk-debuginfo-3.1.1.1-63.4 qemu-ui-sdl-3.1.1.1-63.4 qemu-ui-sdl-debuginfo-3.1.1.1-63.4 o SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): qemu-block-rbd-3.1.1.1-63.4 qemu-block-rbd-debuginfo-3.1.1.1-63.4 o SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): qemu-kvm-3.1.1.1-63.4 o SUSE Linux Enterprise Server 12-SP5 (aarch64): qemu-arm-3.1.1.1-63.4 qemu-arm-debuginfo-3.1.1.1-63.4 o SUSE Linux Enterprise Server 12-SP5 (ppc64le): qemu-ppc-3.1.1.1-63.4 qemu-ppc-debuginfo-3.1.1.1-63.4 o SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ipxe-1.0.0+-63.4 qemu-seabios-1.12.0_0_ga698c89-63.4 qemu-sgabios-8-63.4 qemu-vgabios-1.12.0_0_ga698c89-63.4 o SUSE Linux Enterprise Server 12-SP5 (x86_64): qemu-x86-3.1.1.1-63.4 o SUSE Linux Enterprise Server 12-SP5 (s390x): qemu-s390-3.1.1.1-63.4 qemu-s390-debuginfo-3.1.1.1-63.4 References: o https://www.suse.com/security/cve/CVE-2021-20196.html o https://www.suse.com/security/cve/CVE-2021-3930.html o https://bugzilla.suse.com/1181361 o https://bugzilla.suse.com/1187529 o https://bugzilla.suse.com/1192463 o https://bugzilla.suse.com/1192525 o https://bugzilla.suse.com/1196737 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYV3ONLKJtyKPYoAQhYOA//dPNDEjc/fhqv+RzFjghf7GO5HMMBdQHZ Ym40E8cCswNxUobBK24Ex4C8hmG2B+ah/SxhLhB3fiO/ETPx4ypycs7Ug723iHhL OBoktZODtbqZJu0pA/gUvASzMVWqOh6KrFH07eGLtzITD/5U9JmflP7bW3GGZ4AD WJusxp1ZDmbW3SH+MxrYE/gA0TQOhwSo1vURNfdFSdCOzbqlSrL6ZGRuR0UM8SvL 7jx1+PSftg/NMYRL2o/CAZmAsMZfCFRCAZPmpE8DYMSybmLLSqecaLA3lhY5TpQa p/mRVpO1tNXOwVskaKkL+yTtVbFMkuS5g5SIbXn86ip3576u5pxLBvWJ6cy2HjSZ EYqWqe158i7sBGul2eNyjfpi9lSBWTvANFeYJXypO6ZoYJAoWrW6raTvTenL7uc2 GO/hgfa1JUsVoQ/gp8AiissOAVDPrdNMskKQVixFRSwLHjuXeZZidCATmXIjKt0y sBjlfiV1bqHItf+KG54jcKku2S5JXPeHMdT6CWO5odnXUbGPuOqoKBGqs/LGN9oq RTCtqLQ8tvUA+Aa7ZdIGPPUkqnpBxYq+FMmVcdLlO5GV3y72Kmhwm9438h3UvwcG 6Fya0659nvzVOnCBXMKG+Os+j6mpusIypb3e75h2x12Z1jHDI8Jdf7CKXNfWY2lD WzjUEkIqJ/Q= =C1sR -----END PGP SIGNATURE-----