Security update for susestudio

Announcement ID:	SUSE-SU-2017:0475-1
Rating:	moderate
References:	bsc#870697 bsc#887489 bsc#929102 bsc#942185 bsc#947225 bsc#963741 bsc#968797 bsc#969322 bsc#972406 bsc#972425 bsc#974130 bsc#979110 bsc#979124 bsc#981095 bsc#983404 bsc#983999
Cross-References:	CVE-2015-3448 CVE-2015-7576 CVE-2015-7577 CVE-2016-0751 CVE-2016-0752
CVSS scores:	CVE-2015-7576 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2015-7577 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2016-0751 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-0752 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	SUSE Studio Onsite 1.3

An update that solves five vulnerabilities and has 11 security fixes can now be installed.

Description:

This update provides SUSE Studio Runner 1.3.14, which brings fixes for the following issues:

• bsc#968797: 11 SP3 appliance gets invalid distribution upgrade from SLMS.
• bsc#947225: Second build of appliance will not register to SLMS, wrong product name.
• bsc#983404: UEFI boot missing for SLE11 SP4.
• bsc#972406: Kiwi export config.sh script has /build-custom out of order.
• bsc#981095: Add user "ldap" to default_users list for assigning owners for overlay files.
• bsc#972425: Runlevel 3 is being ignored in appliance configuration.
• bsc#983999: SLES 12 appliance build does not include gpg keys from base product.
• bsc#979110: SLES 12 will not build for EC2.
• bsc#929102: Plaintext Password Local Disclosure in rubygem-rest-client. (CVE-2015-3448)
• bsc#963741: Security fixes for Rails v3.2.22. (CVE-2015-7576, CVE-2015-7577, CVE-2016-0751, CVE-2016-0752)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Studio Onsite 1.3
  zypper in -t patch slestso13-susestudio-12990=1

Package List:

• SUSE Studio Onsite 1.3 (x86_64)
  • libjansson4-2.2.1-0.9.11.6
  • susestudio-runner-1.3.14-52.1
  • susestudio-ui-server-1.3.14-52.1
  • rubygem-bundler19-1.7.0-0.13.10
  • qemu-ext2-0.1.1-0.9.4.19
  • libcontainment-insomnia-0.1.1-0.9.4.19
  • susestudio-common-1.3.14-52.1
  • susestudio-sid-1.3.14-52.1
  • susestudio-bundled-packages-1.3.14-52.1
  • susestudio-1.3.14-52.1
• SUSE Studio Onsite 1.3 (noarch)
  • studio-help-1.3.20-0.6.9

References:

• https://www.suse.com/security/cve/CVE-2015-3448.html
• https://www.suse.com/security/cve/CVE-2015-7576.html
• https://www.suse.com/security/cve/CVE-2015-7577.html
• https://www.suse.com/security/cve/CVE-2016-0751.html
• https://www.suse.com/security/cve/CVE-2016-0752.html
• https://bugzilla.suse.com/show_bug.cgi?id=870697
• https://bugzilla.suse.com/show_bug.cgi?id=887489
• https://bugzilla.suse.com/show_bug.cgi?id=929102
• https://bugzilla.suse.com/show_bug.cgi?id=942185
• https://bugzilla.suse.com/show_bug.cgi?id=947225
• https://bugzilla.suse.com/show_bug.cgi?id=963741
• https://bugzilla.suse.com/show_bug.cgi?id=968797
• https://bugzilla.suse.com/show_bug.cgi?id=969322
• https://bugzilla.suse.com/show_bug.cgi?id=972406
• https://bugzilla.suse.com/show_bug.cgi?id=972425
• https://bugzilla.suse.com/show_bug.cgi?id=974130
• https://bugzilla.suse.com/show_bug.cgi?id=979110
• https://bugzilla.suse.com/show_bug.cgi?id=979124
• https://bugzilla.suse.com/show_bug.cgi?id=981095
• https://bugzilla.suse.com/show_bug.cgi?id=983404
• https://bugzilla.suse.com/show_bug.cgi?id=983999