Security update for velum

Announcement ID: SUSE-SU-2018:1082-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2018-3741 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • CVE-2018-3741 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2018-3741 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2018-8048 ( SUSE ): 5.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • CVE-2018-8048 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:
  • SUSE Container as a Service Platform 1.0
  • SUSE Container as a Service Platform 2.0

An update that solves two vulnerabilities can now be installed.

Description:

This update for velum fixes the following issues in its embedded ruby on rails packages:

  • CVE-2018-3741: Insufficient filtering in scrub_attribute could lead to XSS. (bsc#1086598)
  • CVE-2018-8048: Non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment leading to XSS. (bsc#1085967)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Container as a Service Platform 2.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.
  • SUSE Container as a Service Platform 1.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • SUSE Container as a Service Platform 2.0 (x86_64)
    • sles12-velum-image-2.0.1-2.7.3
  • SUSE Container as a Service Platform 1.0 (x86_64)
    • sles12-velum-image-2.0.1-2.7.3

References: