SUSE Security Update: Security update for kiwi
______________________________________________________________________________

Announcement ID:    SUSE-SU-2011:0917-1
Rating:             critical
References:         #571584 #659843 #667082 #668014 #670299 #675004 
                    #681902 #682978 #689907 #693847 #694506 #699558 
                    #699708 #699710 #700356 #700588 #700589 #700591 
                    #700948 #701512 #701814 #701815 #701816 #702041 
                    #702320 #704726 #704730 #707637 #709437 #709572 
                    #710392 #711998 #712000 
Cross-References:   CVE-2011-2225 CVE-2011-2226 CVE-2011-2644
                    CVE-2011-2645 CVE-2011-2646 CVE-2011-2647
                    CVE-2011-2648 CVE-2011-2649 CVE-2011-2650
                    CVE-2011-2651 CVE-2011-2652
Affected Products:
                    SUSE Studio Onsite 1.1
______________________________________________________________________________

   An update that solves 11 vulnerabilities and has 22 fixes
   is now available. It includes two new package versions.

Description:


   SUSE Studio was prone to several cross-site-scripting (XSS)
   and shell  quoting issues.

   * CVE-2011-2652 - XSS vulnerability in overlay files:
   bad escaping archive file list
   * CVE-2011-2651 - Remote code execution via crafted
   filename in file browser
   * CVE-2011-2650 - XSS vulnerability when displaying RPM
   info (pattern name)
   * CVE-2011-2649 - Unwanted shell expansion when
   executing commands in FileUtils fix
   * CVE-2011-2648 - Arbitrary code execution via filters   in modified files
   * CVE-2011-2647 - studio: Remote code execution via
   crafted archive name in testdrive's modified files
   * CVE-2011-2646 - studio: Remote code execution via
   crafted filename in testdrive's modified files
   * CVE-2011-2645 - Remote code execution via crafted
   custom RPM filename
   * CVE-2011-2644 - XSS vulnerability in displaying RPM
   info
   * CVE-2011-2226 - XSS vulnerability when displaying
   pattern listing
   * CVE-2011-2225 - Overlay directory pathes are not
   properly escaped before inclusion into config.sh

   Furthermore, the following non-security fixes are included:

   * 682978: Fix apache config for cloning appliances with
   image repos
   * 681902: Fix images being deleted when one format is
   deleted
   * 571584: Show 32bit packages in 64bit appliance when
   there's no 64bit version available
   * 701512: Remove kiwi version dependency on release
   * 704730: Fix script for fixing the apache configuration
   * 707637: Fixed rmds segfaults during attempt of adding
   specially crafted repositories
   * 704726: Disable partition alignment for SLE10
   * 709437: Fix Export script
   * 689907: Fix SLE 10 SP3 appliances containing SP2
   product file
   * 711998: Do not waste disk space when generating the
   export tarball

   In addition, this update provides kiwi version 3.73.1 with
   the following  fixes:

   * 667082: KIWIManager.sh rpmLibs() should execute
   ldconfig after baselib cleanup
   * 668014: Support raid 1 (mirroring) for pxe images
   * 670299: kiwi's implementation of 4k alignment feature
   covers only first partition
   * 675004: TFTP block size
   * 694506: Kiwi: boot partition runs out of space
   * 659843: Avoid initialization of KMS without kernel
   support
   * 693847: fixed URL quoting, we have to distinguish the
   quoting

   Also an important fix was made to the "export" script.

   Security Issue references:

   * CVE-2011-2652
   
   * CVE-2011-2651
   
   * CVE-2011-2650
   
   * CVE-2011-2649
   
   * CVE-2011-2648
   
   * CVE-2011-2647
   
   * CVE-2011-2646
   
   * CVE-2011-2645
   
   * CVE-2011-2644
   
   * CVE-2011-2225
   
   * CVE-2011-2226
   


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Studio Onsite 1.1:

      zypper in -t patch slestsosp1-susestudio-201107-4998

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Studio Onsite 1.1 (x86_64) [New Version: 1.1.4 and 3.74.2]:

      kiwi-3.74.2-0.81.8
      kiwi-desc-isoboot-3.74.2-0.81.8
      kiwi-desc-netboot-3.74.2-0.81.8
      kiwi-desc-oemboot-3.74.2-0.81.8
      kiwi-desc-usbboot-3.74.2-0.81.8
      kiwi-desc-vmxboot-3.74.2-0.81.8
      kiwi-desc-xenboot-3.74.2-0.81.8
      kiwi-doc-3.74.2-0.81.8
      kiwi-tools-3.74.2-0.81.8
      susestudio-1.1.4-0.19.2
      susestudio-clicfs-1.1.4-0.19.2
      susestudio-common-1.1.4-0.19.2
      susestudio-image-helpers-1.1.4-0.3.2
      susestudio-kiwi-runner-1.1.4-0.19.2
      susestudio-rmds-1.1.4-0.19.2
      susestudio-testdrive-1.1.4-0.19.2
      susestudio-thoth-1.1.4-0.19.2
      susestudio-ui-server-1.1.4-0.19.2


References:

   https://www.suse.com/security/cve/CVE-2011-2225.html
   https://www.suse.com/security/cve/CVE-2011-2226.html
   https://www.suse.com/security/cve/CVE-2011-2644.html
   https://www.suse.com/security/cve/CVE-2011-2645.html
   https://www.suse.com/security/cve/CVE-2011-2646.html
   https://www.suse.com/security/cve/CVE-2011-2647.html
   https://www.suse.com/security/cve/CVE-2011-2648.html
   https://www.suse.com/security/cve/CVE-2011-2649.html
   https://www.suse.com/security/cve/CVE-2011-2650.html
   https://www.suse.com/security/cve/CVE-2011-2651.html
   https://www.suse.com/security/cve/CVE-2011-2652.html
   https://bugzilla.novell.com/571584
   https://bugzilla.novell.com/659843
   https://bugzilla.novell.com/667082
   https://bugzilla.novell.com/668014
   https://bugzilla.novell.com/670299
   https://bugzilla.novell.com/675004
   https://bugzilla.novell.com/681902
   https://bugzilla.novell.com/682978
   https://bugzilla.novell.com/689907
   https://bugzilla.novell.com/693847
   https://bugzilla.novell.com/694506
   https://bugzilla.novell.com/699558
   https://bugzilla.novell.com/699708
   https://bugzilla.novell.com/699710
   https://bugzilla.novell.com/700356
   https://bugzilla.novell.com/700588
   https://bugzilla.novell.com/700589
   https://bugzilla.novell.com/700591
   https://bugzilla.novell.com/700948
   https://bugzilla.novell.com/701512
   https://bugzilla.novell.com/701814
   https://bugzilla.novell.com/701815
   https://bugzilla.novell.com/701816
   https://bugzilla.novell.com/702041
   https://bugzilla.novell.com/702320
   https://bugzilla.novell.com/704726
   https://bugzilla.novell.com/704730
   https://bugzilla.novell.com/707637
   https://bugzilla.novell.com/709437
   https://bugzilla.novell.com/709572
   https://bugzilla.novell.com/710392
   https://bugzilla.novell.com/711998
   https://bugzilla.novell.com/712000
   https://login.microfocus.com/nidp/app/login

SuSE: 2011:0917-1: critical: kiwi

August 18, 2011
An update that solves 11 vulnerabilities and has 22 fixes An update that solves 11 vulnerabilities and has 22 fixes An update that solves 11 vulnerabilities and has 22 fixes is now...

Summary

   SUSE Security Update: Security update for kiwi
______________________________________________________________________________

Announcement ID:    SUSE-SU-2011:0917-1
Rating:             critical
References:         #571584 #659843 #667082 #668014 #670299 #675004 
                    #681902 #682978 #689907 #693847 #694506 #699558 
                    #699708 #699710 #700356 #700588 #700589 #700591 
                    #700948 #701512 #701814 #701815 #701816 #702041 
                    #702320 #704726 #704730 #707637 #709437 #709572 
                    #710392 #711998 #712000 
Cross-References:   CVE-2011-2225 CVE-2011-2226 CVE-2011-2644
                    CVE-2011-2645 CVE-2011-2646 CVE-2011-2647
                    CVE-2011-2648 CVE-2011-2649 CVE-2011-2650
                    CVE-2011-2651 CVE-2011-2652
Affected Products:
                    SUSE Studio Onsite 1.1
______________________________________________________________________________

   An update that solves 11 vulnerabilities and has 22 fixes
   is now available. It includes two new package versions.

Description:


   SUSE Studio was prone to several cross-site-scripting (XSS)
   and shell  quoting issues.

   * CVE-2011-2652 - XSS vulnerability in overlay files:
   bad escaping archive file list
   * CVE-2011-2651 - Remote code execution via crafted
   filename in file browser
   * CVE-2011-2650 - XSS vulnerability when displaying RPM
   info (pattern name)
   * CVE-2011-2649 - Unwanted shell expansion when
   executing commands in FileUtils fix
   * CVE-2011-2648 - Arbitrary code execution via filters   in modified files
   * CVE-2011-2647 - studio: Remote code execution via
   crafted archive name in testdrive's modified files
   * CVE-2011-2646 - studio: Remote code execution via
   crafted filename in testdrive's modified files
   * CVE-2011-2645 - Remote code execution via crafted
   custom RPM filename
   * CVE-2011-2644 - XSS vulnerability in displaying RPM
   info
   * CVE-2011-2226 - XSS vulnerability when displaying
   pattern listing
   * CVE-2011-2225 - Overlay directory pathes are not
   properly escaped before inclusion into config.sh

   Furthermore, the following non-security fixes are included:

   * 682978: Fix apache config for cloning appliances with
   image repos
   * 681902: Fix images being deleted when one format is
   deleted
   * 571584: Show 32bit packages in 64bit appliance when
   there's no 64bit version available
   * 701512: Remove kiwi version dependency on release
   * 704730: Fix script for fixing the apache configuration
   * 707637: Fixed rmds segfaults during attempt of adding
   specially crafted repositories
   * 704726: Disable partition alignment for SLE10
   * 709437: Fix Export script
   * 689907: Fix SLE 10 SP3 appliances containing SP2
   product file
   * 711998: Do not waste disk space when generating the
   export tarball

   In addition, this update provides kiwi version 3.73.1 with
   the following  fixes:

   * 667082: KIWIManager.sh rpmLibs() should execute
   ldconfig after baselib cleanup
   * 668014: Support raid 1 (mirroring) for pxe images
   * 670299: kiwi's implementation of 4k alignment feature
   covers only first partition
   * 675004: TFTP block size
   * 694506: Kiwi: boot partition runs out of space
   * 659843: Avoid initialization of KMS without kernel
   support
   * 693847: fixed URL quoting, we have to distinguish the
   quoting

   Also an important fix was made to the "export" script.

   Security Issue references:

   * CVE-2011-2652
   
   * CVE-2011-2651
   
   * CVE-2011-2650
   
   * CVE-2011-2649
   
   * CVE-2011-2648
   
   * CVE-2011-2647
   
   * CVE-2011-2646
   
   * CVE-2011-2645
   
   * CVE-2011-2644
   
   * CVE-2011-2225
   
   * CVE-2011-2226
   


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Studio Onsite 1.1:

      zypper in -t patch slestsosp1-susestudio-201107-4998

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Studio Onsite 1.1 (x86_64) [New Version: 1.1.4 and 3.74.2]:

      kiwi-3.74.2-0.81.8
      kiwi-desc-isoboot-3.74.2-0.81.8
      kiwi-desc-netboot-3.74.2-0.81.8
      kiwi-desc-oemboot-3.74.2-0.81.8
      kiwi-desc-usbboot-3.74.2-0.81.8
      kiwi-desc-vmxboot-3.74.2-0.81.8
      kiwi-desc-xenboot-3.74.2-0.81.8
      kiwi-doc-3.74.2-0.81.8
      kiwi-tools-3.74.2-0.81.8
      susestudio-1.1.4-0.19.2
      susestudio-clicfs-1.1.4-0.19.2
      susestudio-common-1.1.4-0.19.2
      susestudio-image-helpers-1.1.4-0.3.2
      susestudio-kiwi-runner-1.1.4-0.19.2
      susestudio-rmds-1.1.4-0.19.2
      susestudio-testdrive-1.1.4-0.19.2
      susestudio-thoth-1.1.4-0.19.2
      susestudio-ui-server-1.1.4-0.19.2


References:

   https://www.suse.com/security/cve/CVE-2011-2225.html
   https://www.suse.com/security/cve/CVE-2011-2226.html
   https://www.suse.com/security/cve/CVE-2011-2644.html
   https://www.suse.com/security/cve/CVE-2011-2645.html
   https://www.suse.com/security/cve/CVE-2011-2646.html
   https://www.suse.com/security/cve/CVE-2011-2647.html
   https://www.suse.com/security/cve/CVE-2011-2648.html
   https://www.suse.com/security/cve/CVE-2011-2649.html
   https://www.suse.com/security/cve/CVE-2011-2650.html
   https://www.suse.com/security/cve/CVE-2011-2651.html
   https://www.suse.com/security/cve/CVE-2011-2652.html
   https://bugzilla.novell.com/571584
   https://bugzilla.novell.com/659843
   https://bugzilla.novell.com/667082
   https://bugzilla.novell.com/668014
   https://bugzilla.novell.com/670299
   https://bugzilla.novell.com/675004
   https://bugzilla.novell.com/681902
   https://bugzilla.novell.com/682978
   https://bugzilla.novell.com/689907
   https://bugzilla.novell.com/693847
   https://bugzilla.novell.com/694506
   https://bugzilla.novell.com/699558
   https://bugzilla.novell.com/699708
   https://bugzilla.novell.com/699710
   https://bugzilla.novell.com/700356
   https://bugzilla.novell.com/700588
   https://bugzilla.novell.com/700589
   https://bugzilla.novell.com/700591
   https://bugzilla.novell.com/700948
   https://bugzilla.novell.com/701512
   https://bugzilla.novell.com/701814
   https://bugzilla.novell.com/701815
   https://bugzilla.novell.com/701816
   https://bugzilla.novell.com/702041
   https://bugzilla.novell.com/702320
   https://bugzilla.novell.com/704726
   https://bugzilla.novell.com/704730
   https://bugzilla.novell.com/707637
   https://bugzilla.novell.com/709437
   https://bugzilla.novell.com/709572
   https://bugzilla.novell.com/710392
   https://bugzilla.novell.com/711998
   https://bugzilla.novell.com/712000
   https://login.microfocus.com/nidp/app/login

References

Severity

Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
The Kinsing hacker group, or H2Miner, has been orchestrating illicit cryptocurrency mining campaigns since 2019 and poses a persistent security
32.Lock Code Circular Esm H320
2 - 3 min read
The Kimsuky APT group, reportedly linked to North Korea's Reconnaissance General Bureau (RGB), has been identified deploying a Linux version of its
4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved