openSUSE Security Update: Security update for lynis ______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:1595-1 Rating: moderate References: #1043463 Cross-References: CVE-2017-8108 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for lynis fixes the following issues:
Lynis 2.5.1:
* Improved detection of SSL certificate files * Minor changes to improve logging and results * Firewall tests: Determine if CSF is in testing mode
The Update also includes changes from Lynis 2.5.0:
* CVE-2017-8108: symlink attack may have allowed arbitrary file overwrite or privilege escalation (boo#1043463) * Deleted unused tests from database file * Additional sysctls are tested * Extended test with Symantec components * Snort detection * Snort configuration file
The update also includes Lynis 2.4.8 (Changelog from 2.4.1)
* More PHP paths added * Minor changes to text * Show atomic test in report * Added FileInstalledByPackage function (dpkg and rpm supported) * Mark Arch Linux version as rolling release (instead of unknown) * Support for Manjaro Linux * Escape files when testing if they are readable * Code cleanups * Allow host alias to be specified in profile * Code readability enhancements * Solaris support has been improved * Fix for upload function to be used from profile * Reduce screen output for mail section, unless --verbose is used * Code cleanups and removed 'update release' command * Colored output can now be tuned with profile (colors=yes/no) * Allow data upload to be set as a profile option * Properly detect SSH daemon version * Generic code improvements * Improved the update check and display * Finish, Portuguese, and Turkish translation * Extended support and tests for DragonFlyBSD * Option to configure hostid and hostid2 in profile * Support for Trend Micro and Cylance (macOS) * Remove comments at end of nginx configuration * Used machine ID to create host ID when no SSH keys are available * Added detection of iptables-save to binaries
And Lynis 2.4.0
* Mainly improved support for macOS users * Support for CoreOS * Support for clamconf utility * Support for chinese translation * More sysctl values in the default profile * New commands: "upload-only", "show hostids", "show environment", "show os"
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE Leap 42.2:
zypper in -t patch openSUSE-2017-705=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.2 (noarch):
lynis-2.5.1-2.3.1
References:
https://www.suse.com/security/cve/CVE-2017-8108.html https://bugzilla.suse.com/1043463