Security update for crmsh

Announcement ID:	SUSE-SU-2021:2435-1
Rating:	moderate
References:	bsc#1163460 bsc#1175982 bsc#1179999 bsc#1184465 bsc#1185423 bsc#1187553 jsc#SLE-17979
Cross-References:	CVE-2020-35459
CVSS scores:	CVE-2020-35459 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Availability Extension 15 SP2 SUSE Linux Enterprise High Availability Extension 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.1 SUSE Manager Server 4.2

An update that solves one vulnerability, contains one feature and has five security fixes can now be installed.

Description:

This update for crmsh fixes the following issues:

Update to version 4.3.1+20210624.67223df2:

• Fix: ocfs2: Skip verifying UUID for ocfs2 device on top of raid or lvm on the join node (bsc#1187553)
• Fix: history: use Path.mkdir instead of mkdir command(bsc#1179999, CVE-2020-35459)
• Dev: crash_test: Add big warnings to have users' attention to potential failover(jsc#SLE-17979)
• Dev: crash_test: rename preflight_check as crash_test(jsc#SLE-17979)
• Fix: bootstrap: update sbd watchdog timeout when using diskless SBD with qdevice(bsc#1184465)
• Dev: utils: allow configure link-local ipv6 address(bsc#1163460)
• Fix: parse: shouldn't allow property setting with an empty value(bsc#1185423)
• Fix: help: show help message from argparse(bsc#1175982)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Availability Extension 15 SP2
  zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-2435=1
• SUSE Linux Enterprise High Availability Extension 15 SP3
  zypper in -t patch SUSE-SLE-Product-HA-15-SP3-2021-2435=1

Package List:

• SUSE Linux Enterprise High Availability Extension 15 SP2 (noarch)
  • crmsh-scripts-4.3.1+20210702.4e0ee8fb-5.59.1
  • crmsh-4.3.1+20210702.4e0ee8fb-5.59.1
• SUSE Linux Enterprise High Availability Extension 15 SP3 (noarch)
  • crmsh-scripts-4.3.1+20210702.4e0ee8fb-5.59.1
  • crmsh-4.3.1+20210702.4e0ee8fb-5.59.1

References:

• https://www.suse.com/security/cve/CVE-2020-35459.html
• https://bugzilla.suse.com/show_bug.cgi?id=1163460
• https://bugzilla.suse.com/show_bug.cgi?id=1175982
• https://bugzilla.suse.com/show_bug.cgi?id=1179999
• https://bugzilla.suse.com/show_bug.cgi?id=1184465
• https://bugzilla.suse.com/show_bug.cgi?id=1185423
• https://bugzilla.suse.com/show_bug.cgi?id=1187553
• https://jira.suse.com/browse/SLE-17979