openSUSE Security Update: Security update for EternalTerminal ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0041-1 Rating: important References: #1207123 #1207124 Cross-References: CVE-2022-48257 CVE-2022-48258 CVSS scores: CVE-2022-48257 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-48258 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for EternalTerminal fixes the following issues: EternalTerminal was updated to 6.2.4: * CVE-2022-48257, CVE-2022-48258 remedied * fix readme regarding port forwarding #522 * Fix test failures that started appearing in CI #526 * Add documentation for the EternalTerminal protocol #523 * ssh-et: apply upstream updates #527 * docs: write gpg key to trusted.gpg.d for APT #530 * Support for ipv6 addresses (with or without port specified) #536 * ipv6 abbreviated address support #539 * Fix launchd plist config to remove daemonization. #540 * Explicitly set verbosity from cxxopts value. #542 * Remove daemon flag in systemd config #549 * Format all source with clang-format. #552 * Fix tunnel parsing exception handling. #550 * Fix SIGTERM behavior that causes systemd control of etserver to timeout. #554 * Parse telemetry ini config as boolean and make telemetry opt-in. #553 * Logfile open mode and permission plus location configurability. #556 - boo#1207123 (CVE-2022-48257) Fix predictable logfile names in /tmp - boo#1207124 (CVE-2022-48258) Fix etserver and etclient have world-readable logfiles - Note: Upstream released 6.2.2 with fixes then 6.2.4 and later removed 6.2.2 and redid 6.2.4 Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-41=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 x86_64): EternalTerminal-6.2.4-bp154.2.6.1 References: https://www.suse.com/security/cve/CVE-2022-48257.html https://www.suse.com/security/cve/CVE-2022-48258.html https://bugzilla.suse.com/1207123 https://bugzilla.suse.com/1207124