openSUSE-SU-2023:0041-1: important: Security update for EternalTerminal
openSUSE Security Update: Security update for EternalTerminal
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0041-1
Rating: important
References: #1207123 #1207124
Cross-References: CVE-2022-48257 CVE-2022-48258
CVSS scores:
CVE-2022-48257 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2022-48258 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for EternalTerminal fixes the following issues:
EternalTerminal was updated to 6.2.4:
* CVE-2022-48257, CVE-2022-48258 remedied
* fix readme regarding port forwarding #522
* Fix test failures that started appearing in CI #526
* Add documentation for the EternalTerminal protocol #523
* ssh-et: apply upstream updates #527
* docs: write gpg key to trusted.gpg.d for APT #530
* Support for ipv6 addresses (with or without port specified) #536
* ipv6 abbreviated address support #539
* Fix launchd plist config to remove daemonization. #540
* Explicitly set verbosity from cxxopts value. #542
* Remove daemon flag in systemd config #549
* Format all source with clang-format. #552
* Fix tunnel parsing exception handling. #550
* Fix SIGTERM behavior that causes systemd control of etserver to
timeout. #554
* Parse telemetry ini config as boolean and make telemetry opt-in. #553
* Logfile open mode and permission plus location configurability. #556
- boo#1207123 (CVE-2022-48257) Fix predictable logfile names in /tmp
- boo#1207124 (CVE-2022-48258) Fix etserver and etclient have
world-readable logfiles
- Note: Upstream released 6.2.2 with fixes then 6.2.4 and later removed
6.2.2 and redid 6.2.4
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-41=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
EternalTerminal-6.2.4-bp154.2.6.1
References:
https://www.suse.com/security/cve/CVE-2022-48257.html
https://www.suse.com/security/cve/CVE-2022-48258.html
https://bugzilla.suse.com/1207123
https://bugzilla.suse.com/1207124
An EternalTerminal security update has been released for SUSE Linux Enterprise 15 SP4.