Security update for libeconf, shadow and util-linux

Announcement ID:	SUSE-SU-2022:0727-2
Rating:	moderate
References:	bsc#1188507 bsc#1192954 bsc#1193632 bsc#1194976 jsc#SLE-23384 jsc#SLE-23402
Cross-References:	CVE-2021-3995 CVE-2021-3996
CVSS scores:	CVE-2021-3995 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3995 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3996 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3996 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro for Rancher 5.2

An update that solves two vulnerabilities, contains two features and has two security fixes can now be installed.

Description:

This security update for libeconf, shadow and util-linux fix the following issues:

libeconf:

• Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf: - Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157) - Fixed different issues while writing string values to file. - Writing comments to file too. - Fixed crash while merging values. - Added econftool cat option (#146) - new API call: econf_readDirsHistory (showing ALL locations) - new API call: econf_getPath (absolute path of the configuration file) - Man pages libeconf.3 and econftool.8. - Handling multiline strings. - Added libeconf_ext which returns more information like line_nr, comments, path of the configuration file,... - Econftool, an command line interface for handling configuration files. - Generating HTML API documentation with doxygen. - Improving error handling and semantic file check. - Joining entries with the same key to one single entry if env variable ECONF_JOIN_SAME_ENTRIES has been set.

shadow:

• The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

util-linux:

• The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
• Allow use of larger values for start sector to prevent blockdev --report aborting (bsc#1188507)
• Fixed blockdev --report using non-space characters as a field separator (bsc#1188507)
• CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)
• CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Micro 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-727=1
• SUSE Linux Enterprise Micro for Rancher 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-727=1

Package List:

• SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
  • libmount1-2.36.2-150300.4.14.3
  • libblkid1-debuginfo-2.36.2-150300.4.14.3
  • libuuid1-2.36.2-150300.4.14.3
  • libsmartcols1-debuginfo-2.36.2-150300.4.14.3
  • libfdisk1-2.36.2-150300.4.14.3
  • libblkid1-2.36.2-150300.4.14.3
  • libeconf-debugsource-0.4.4+git20220104.962774f-150300.3.6.2
  • shadow-debuginfo-4.8.1-150300.4.3.8
  • libfdisk1-debuginfo-2.36.2-150300.4.14.3
  • util-linux-debuginfo-2.36.2-150300.4.14.3
  • libuuid1-debuginfo-2.36.2-150300.4.14.3
  • libmount1-debuginfo-2.36.2-150300.4.14.3
  • util-linux-systemd-debuginfo-2.36.2-150300.4.14.2
  • shadow-4.8.1-150300.4.3.8
  • util-linux-systemd-debugsource-2.36.2-150300.4.14.2
  • util-linux-debugsource-2.36.2-150300.4.14.3
  • libeconf0-debuginfo-0.4.4+git20220104.962774f-150300.3.6.2
  • libsmartcols1-2.36.2-150300.4.14.3
  • util-linux-systemd-2.36.2-150300.4.14.2
  • util-linux-2.36.2-150300.4.14.3
  • libeconf0-0.4.4+git20220104.962774f-150300.3.6.2
  • shadow-debugsource-4.8.1-150300.4.3.8
• SUSE Linux Enterprise Micro 5.2 (noarch)
  • login_defs-4.8.1-150300.4.3.8
• SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
  • libmount1-2.36.2-150300.4.14.3
  • libblkid1-debuginfo-2.36.2-150300.4.14.3
  • libuuid1-2.36.2-150300.4.14.3
  • libsmartcols1-debuginfo-2.36.2-150300.4.14.3
  • libfdisk1-2.36.2-150300.4.14.3
  • libblkid1-2.36.2-150300.4.14.3
  • libeconf-debugsource-0.4.4+git20220104.962774f-150300.3.6.2
  • shadow-debuginfo-4.8.1-150300.4.3.8
  • libfdisk1-debuginfo-2.36.2-150300.4.14.3
  • util-linux-debuginfo-2.36.2-150300.4.14.3
  • libuuid1-debuginfo-2.36.2-150300.4.14.3
  • libmount1-debuginfo-2.36.2-150300.4.14.3
  • util-linux-systemd-debuginfo-2.36.2-150300.4.14.2
  • shadow-4.8.1-150300.4.3.8
  • util-linux-systemd-debugsource-2.36.2-150300.4.14.2
  • util-linux-debugsource-2.36.2-150300.4.14.3
  • libeconf0-debuginfo-0.4.4+git20220104.962774f-150300.3.6.2
  • libsmartcols1-2.36.2-150300.4.14.3
  • util-linux-systemd-2.36.2-150300.4.14.2
  • util-linux-2.36.2-150300.4.14.3
  • libeconf0-0.4.4+git20220104.962774f-150300.3.6.2
  • shadow-debugsource-4.8.1-150300.4.3.8
• SUSE Linux Enterprise Micro for Rancher 5.2 (noarch)
  • login_defs-4.8.1-150300.4.3.8

References:

• https://www.suse.com/security/cve/CVE-2021-3995.html
• https://www.suse.com/security/cve/CVE-2021-3996.html
• https://bugzilla.suse.com/show_bug.cgi?id=1188507
• https://bugzilla.suse.com/show_bug.cgi?id=1192954
• https://bugzilla.suse.com/show_bug.cgi?id=1193632
• https://bugzilla.suse.com/show_bug.cgi?id=1194976
• https://jira.suse.com/browse/SLE-23384
• https://jira.suse.com/browse/SLE-23402