openSUSE Security Update: Security update for permissions ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0302-1 Rating: moderate References: #1148788 #1160594 #1160764 #1161779 #1163922 Cross-References: CVE-2019-3687 CVE-2020-8013 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-302=1 Package List: - openSUSE Leap 15.1 (i586 x86_64): permissions-20181116-lp151.4.12.1 permissions-debuginfo-20181116-lp151.4.12.1 permissions-debugsource-20181116-lp151.4.12.1 - openSUSE Leap 15.1 (noarch): permissions-zypp-plugin-20181116-lp151.4.12.1 References: https://www.suse.com/security/cve/CVE-2019-3687.html https://www.suse.com/security/cve/CVE-2020-8013.html https://bugzilla.suse.com/1148788 https://bugzilla.suse.com/1160594 https://bugzilla.suse.com/1160764 https://bugzilla.suse.com/1161779 https://bugzilla.suse.com/1163922 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org