Security update for supportutils

Announcement ID:	SUSE-SU-2019:0480-1
Rating:	important
References:	bsc#1043311 bsc#1046681 bsc#1051797 bsc#1071545 bsc#1105849 bsc#1112461 bsc#1115245 bsc#1117776 bsc#1118460 bsc#1118462 bsc#1118463 bsc#1125609 bsc#1125666
Cross-References:	CVE-2018-19637 CVE-2018-19638 CVE-2018-19639 CVE-2018-19640
CVSS scores:	CVE-2018-19637 ( SUSE ): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2018-19637 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2018-19638 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-19638 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2018-19639 ( SUSE ): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2018-19639 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-19640 ( SUSE ): 5.0 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2018-19640 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves four vulnerabilities and has nine security fixes can now be installed.

Description:

This update for supportutils fixes the following issues:

Security issues fixed:

• CVE-2018-19640: Fixed an issue where users could kill arbitrary processes (bsc#1118463).
• CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460).
• CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462).
• CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776).

Other issues fixed:

• Fixed invalid exit code commands (bsc#1125666).
• Included additional SUSE separation (bsc#1125609).
• Merged added listing of locked packes by zypper.
• Exclude pam.txt per GDPR by default (bsc#1112461).
• Clarified -x functionality in supportconfig(8) (bsc#1115245).
• udev service and provide the whole journal content in supportconfig (bsc#1051797).
• supportconfig collects tuned profile settings (bsc#1071545).
• sfdisk -d no disk device specified (bsc#1043311).
• Added vulnerabilites status check in basic-health.txt (bsc#1105849).
• Added only sched_domain from cpu0.
• Blacklist sched_domain from proc.txt (bsc#1046681).
• Added firewall-cmd info.
• Add ls -lA --time-style=long-iso /etc/products.d/
• Dump lsof errors.
• Added corosync status to ha_info.
• Dump find errors in ib_info.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-480=1

Package List:

• Basesystem Module 15 (noarch)
  • supportutils-3.1-5.7.1

References:

• https://www.suse.com/security/cve/CVE-2018-19637.html
• https://www.suse.com/security/cve/CVE-2018-19638.html
• https://www.suse.com/security/cve/CVE-2018-19639.html
• https://www.suse.com/security/cve/CVE-2018-19640.html
• https://bugzilla.suse.com/show_bug.cgi?id=1043311
• https://bugzilla.suse.com/show_bug.cgi?id=1046681
• https://bugzilla.suse.com/show_bug.cgi?id=1051797
• https://bugzilla.suse.com/show_bug.cgi?id=1071545
• https://bugzilla.suse.com/show_bug.cgi?id=1105849
• https://bugzilla.suse.com/show_bug.cgi?id=1112461
• https://bugzilla.suse.com/show_bug.cgi?id=1115245
• https://bugzilla.suse.com/show_bug.cgi?id=1117776
• https://bugzilla.suse.com/show_bug.cgi?id=1118460
• https://bugzilla.suse.com/show_bug.cgi?id=1118462
• https://bugzilla.suse.com/show_bug.cgi?id=1118463
• https://bugzilla.suse.com/show_bug.cgi?id=1125609
• https://bugzilla.suse.com/show_bug.cgi?id=1125666