openSUSE Security Update: Security update for supportutils ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:0293-1 Rating: important References: #1043311 #1046681 #1051797 #1071545 #1105849 #1112461 #1115245 #1117776 #1118460 #1118462 #1118463 #1125609 #1125666 Cross-References: CVE-2018-19637 CVE-2018-19638 CVE-2018-19639 CVE-2018-19640 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that solves four vulnerabilities and has 9 fixes is now available. Description: This update for supportutils fixes the following issues: Security issues fixed: - CVE-2018-19640: Fixed an issue where users could kill arbitrary processes (bsc#1118463). - CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460). - CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462). - CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776). Other issues fixed: - Fixed invalid exit code commands (bsc#1125666). - Included additional SUSE separation (bsc#1125609). - Merged added listing of locked packes by zypper. - Exclude pam.txt per GDPR by default (bsc#1112461). - Clarified -x functionality in supportconfig(8) (bsc#1115245). - udev service and provide the whole journal content in supportconfig (bsc#1051797). - supportconfig collects tuned profile settings (bsc#1071545). - sfdisk -d no disk device specified (bsc#1043311). - Added vulnerabilites status check in basic-health.txt (bsc#1105849). - Added only sched_domain from cpu0. - Blacklist sched_domain from proc.txt (bsc#1046681). - Added firewall-cmd info. - Add ls -lA --time-style=long-iso /etc/products.d/ - Dump lsof errors. - Added corosync status to ha_info. - Dump find errors in ib_info. This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2019-293=1 Package List: - openSUSE Leap 15.0 (noarch): supportutils-3.1-lp150.4.3.1 References: https://www.suse.com/security/cve/CVE-2018-19637.html https://www.suse.com/security/cve/CVE-2018-19638.html https://www.suse.com/security/cve/CVE-2018-19639.html https://www.suse.com/security/cve/CVE-2018-19640.html https://bugzilla.suse.com/1043311 https://bugzilla.suse.com/1046681 https://bugzilla.suse.com/1051797 https://bugzilla.suse.com/1071545 https://bugzilla.suse.com/1105849 https://bugzilla.suse.com/1112461 https://bugzilla.suse.com/1115245 https://bugzilla.suse.com/1117776 https://bugzilla.suse.com/1118460 https://bugzilla.suse.com/1118462 https://bugzilla.suse.com/1118463 https://bugzilla.suse.com/1125609 https://bugzilla.suse.com/1125666