SUSE 5152 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2018:4181-1: important: Security update for go1.11
openSUSE-SU-2018:4197-1: moderate: Security update for salt



openSUSE-SU-2018:4181-1: important: Security update for go1.11

openSUSE Security Update: Security update for go1.11
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4181-1
Rating: important
References: #1098017 #1113978 #1118897 #1118898 #1118899
#1119634 #1119706
Cross-References: CVE-2018-16873 CVE-2018-16874 CVE-2018-16875

Affected Products:
openSUSE Leap 42.3
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves three vulnerabilities and has four
fixes is now available.

Description:

This new package for go1.11 fixes the following issues:

Security issues fixed:

- CVE-2018-16873: Fixed a remote code execution in go get, when executed
with the -u flag (bsc#1118897)
- CVE-2018-16874: Fixed an arbitrary filesystem write in go get, which
could lead to code execution (bsc#1118898)
- CVE-2018-16875: Fixed a Denial of Service in the crypto/x509 package
during certificate chain validation(bsc#1118899)

Non-security issues fixed:

- Fixed build error with PIE linker flags on ppc64le (bsc#1113978
bsc#1098017)
- Make profile.d/go.sh no longer set GOROOT=, in order to make switching
between versions no longer break. This ends up removing the need for
go.sh entirely (because GOPATH is also set automatically) (bsc#1119634)

The following tracked regression fix is included:

- Fix a regression that broke go get for import path patterns containing
"..." (bsc#1119706)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1572=1

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1572=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

go1.11-1.11.4-2.1
go1.11-doc-1.11.4-2.1

- openSUSE Leap 42.3 (x86_64):

go1.11-race-1.11.4-2.1

- openSUSE Leap 15.0 (x86_64):

go1.11-1.11.4-lp150.2.1
go1.11-doc-1.11.4-lp150.2.1
go1.11-race-1.11.4-lp150.2.1


References:

https://www.suse.com/security/cve/CVE-2018-16873.html
https://www.suse.com/security/cve/CVE-2018-16874.html
https://www.suse.com/security/cve/CVE-2018-16875.html
https://bugzilla.suse.com/1098017
https://bugzilla.suse.com/1113978
https://bugzilla.suse.com/1118897
https://bugzilla.suse.com/1118898
https://bugzilla.suse.com/1118899
https://bugzilla.suse.com/1119634
https://bugzilla.suse.com/1119706

--


openSUSE-SU-2018:4197-1: moderate: Security update for salt

openSUSE Security Update: Security update for salt
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:4197-1
Rating: moderate
References: #1104491 #1107333 #1108557 #1108834 #1108995
#1109893 #1110938 #1112874 #1113698 #1113699
#1113784 #1114197 #1114824
Cross-References: CVE-2018-15750 CVE-2018-15751
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves two vulnerabilities and has 11 fixes
is now available.

Description:

This update for salt fixes the following issues:

- Crontab module fix: file attributes option missing (boo#1114824)
- Fix git_pillar merging across multiple __env__ repositories (boo#1112874)
- Bugfix: unable to detect os arch when RPM is not installed (boo#1114197)
- Fix LDAP authentication issue when a valid token is generated by the
salt-api even when invalid user credentials are passed. (U#48901)
- Improved handling of LDAP group id. gid is no longer treated as a
string, which could have lead to faulty group creations. (boo#1113784)
- Fix remote command execution and incorrect access control when using
salt-api. (boo#1113699) (CVE-2018-15751)
- Fix Directory traversal vulnerability when using salt-api. Allows an
attacker to determine what files exist on a server when querying /run or
/events. (boo#1113698) (CVE-2018-15750)
- Add multi-file support and globbing to the filetree (U#50018)
- Bugfix: supportconfig non-root permission issues (U#50095)
- Open profiles permissions to everyone for read-only
- Preserving signature in "module.run" state (U#50049)
- Install default salt-support profiles
- Remove unit test, came from a wrong branch. Fix merging failure.
- Add CPE_NAME for osversion* grain parsing
- Get os_family for RPM distros from the RPM macros
- Install support profiles
- Fix async call to process manager (boo#1110938)
- Salt-based supportconfig implementation (technology preview)
- Bugfix: any unicode string of length 16 will raise TypeError
- Fix IPv6 scope (boo#1108557)
- Handle zypper ZYPPER_EXIT_NO_REPOS exit code (boo#1108834, boo#1109893)
- Bugfix for pkg_resources crash (boo#1104491)
- Fix loosen azure sdk dependencies in azurearm cloud driver (boo#1107333)
- Fix broken "resolve_capabilities" on Python 3 (boo#1108995)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1574=1



Package List:

- openSUSE Leap 42.3 (noarch):

salt-bash-completion-2018.3.0-23.1
salt-fish-completion-2018.3.0-23.1
salt-zsh-completion-2018.3.0-23.1

- openSUSE Leap 42.3 (x86_64):

python2-salt-2018.3.0-23.1
python3-salt-2018.3.0-23.1
salt-2018.3.0-23.1
salt-api-2018.3.0-23.1
salt-cloud-2018.3.0-23.1
salt-doc-2018.3.0-23.1
salt-master-2018.3.0-23.1
salt-minion-2018.3.0-23.1
salt-proxy-2018.3.0-23.1
salt-ssh-2018.3.0-23.1
salt-syndic-2018.3.0-23.1


References:

https://www.suse.com/security/cve/CVE-2018-15750.html
https://www.suse.com/security/cve/CVE-2018-15751.html
https://bugzilla.suse.com/1104491
https://bugzilla.suse.com/1107333
https://bugzilla.suse.com/1108557
https://bugzilla.suse.com/1108834
https://bugzilla.suse.com/1108995
https://bugzilla.suse.com/1109893
https://bugzilla.suse.com/1110938
https://bugzilla.suse.com/1112874
https://bugzilla.suse.com/1113698
https://bugzilla.suse.com/1113699
https://bugzilla.suse.com/1113784
https://bugzilla.suse.com/1114197
https://bugzilla.suse.com/1114824

--