Security update for WebYaST

SUSE Security Update: Security update for WebYaST
Announcement ID: SUSE-SU-2014:0022-1
Rating: important
References: #851116
Affected Products:
  • WebYaST 1.2

  • An update that fixes one vulnerability is now available. It includes one version update.


    In the past WebYAST was installed with world readable
    secret tokens. Although these were modified on the start
    of the webyast service and so could not be read from
    remote, it was possible for local attackers on the same
    machine to read the secrets and so gain local root access
    via the webyast services. This has been fixed.

    Security Issue reference:

    * CVE-2013-3709

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • WebYaST 1.2:
      zypper in -t patch slewyst12-webyast-base-ui-8706

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • WebYaST 1.2 (noarch) [New Version: 0.2.64]:
    • webyast-base-ui-0.2.64-0.3.1
    • webyast-base-ui-branding-default-0.2.64-0.3.1
    • webyast-base-ui-testsuite-0.2.64-0.3.1