SUSE Security Update: Security update for SUSE Studio Onsite 1.2 and kiwi
______________________________________________________________________________

Announcement ID:    SUSE-SU-2011:1324-1
Rating:             critical
References:         #705694 #707637 #709572 #710392 #710403 #714755 
                    #716992 #725445 #725466 #725706 #728934 #729204 
                    #729273 #729315 #729675 
Cross-References:   CVE-2011-2225 CVE-2011-2226 CVE-2011-3180
                    CVE-2011-4192 CVE-2011-4193 CVE-2011-4195
                   
Affected Products:
                    SUSE Studio Onsite 1.2
                    SUSE Studio Extension for System z 1.2
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has 9 fixes is
   now available. It includes two new package versions.

Description:


   Fix for several vulnerabilities in SUSE Studio Onsite 1.2
   and kiwi:

   * CVE-2011-2225: The path of overlay files was not
   escaped which allowed shell meta character injection.
   * CVE-2011-2226: By using an untrusted software
   repository a user becomes vulnerable to a XSS attack when
   displaying pattern files (clicking "All patterns" in the
   software tab).
   * CVE-2011-3180: The path of overlay files was not
   escaped which allowed shell meta character injection via
   the chown(1) command-line. (kiwi)
   * CVE-2011-4195: The image name was not escaped
   properly and can be used in conjunction with other
   applications to execute arbitrary shell commands. (kiwi)
   * CVE-2011-4193: XSS vulnerability in "overlay files"
   tab can be used to execute arbitrary JavaScript code while
   cloning an appliance from an untrusted source.
   * CVE-2011-4192: Arbitrary shell command injection in
   conjunction with Studio by using double quotes in
   kiwi_oemtitle of .profile. (kiwi)

   In addition, the following non-security fixes were added:

   * Added SLE SDK repos to SLES-for-VMware templates
   * do not overwrite rmds.conf

   Security Issue references:

   * CVE-2011-2225
   
   * CVE-2011-2226
   
   * CVE-2011-3180
   
   * CVE-2011-4195
   
   * CVE-2011-4193
   
   * CVE-2011-4192
   

Indications:

   Please update.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Studio Onsite 1.2:

      zypper in -t patch slestso12-susestudio-201112-5535

   - SUSE Studio Extension for System z 1.2:

      zypper in -t patch slestso12-susestudio-201112-5535

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Studio Onsite 1.2 (x86_64) [New Version: 1.2.1 and 4.85.1]:

      kiwi4-4.85.1-0.22.9
      kiwi4-desc-isoboot-4.85.1-0.22.9
      kiwi4-desc-netboot-4.85.1-0.22.9
      kiwi4-desc-oemboot-4.85.1-0.22.9
      kiwi4-desc-vmxboot-4.85.1-0.22.9
      kiwi4-doc-4.85.1-0.22.9
      kiwi4-tools-4.85.1-0.22.9
      susestudio-1.2.1-0.26.1
      susestudio-clicfs-1.2.1-0.26.1
      susestudio-common-1.2.1-0.26.1
      susestudio-image-helpers-1.2.1-0.3.3
      susestudio-parted-1.2.1-0.26.1
      susestudio-rmds-1.2.1-0.26.1
      susestudio-runner-1.2.1-0.26.1
      susestudio-squashfs-1.2.1-0.26.1
      susestudio-thoth-1.2.1-0.26.1
      susestudio-ui-server-1.2.1-0.26.1

   - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 1.2.1 and 4.85.1]:

      kiwi4-4.85.1-0.22.9
      kiwi4-desc-oemboot-4.85.1-0.22.9
      kiwi4-desc-vmxboot-4.85.1-0.22.9
      kiwi4-tools-4.85.1-0.22.9
      susestudio-1.2.1-0.26.1
      susestudio-common-1.2.1-0.26.1
      susestudio-image-helpers-1.2.1-0.3.3
      susestudio-runner-1.2.1-0.26.1
      susestudio-ui-server-1.2.1-0.26.1


References:

   https://www.suse.com/security/cve/CVE-2011-2225.html
   https://www.suse.com/security/cve/CVE-2011-2226.html
   https://www.suse.com/security/cve/CVE-2011-3180.html
   https://www.suse.com/security/cve/CVE-2011-4192.html
   https://www.suse.com/security/cve/CVE-2011-4193.html
   https://www.suse.com/security/cve/CVE-2011-4195.html
   https://bugzilla.novell.com/705694
   https://bugzilla.novell.com/707637
   https://bugzilla.novell.com/709572
   https://bugzilla.novell.com/710392
   https://bugzilla.novell.com/710403
   https://bugzilla.novell.com/714755
   https://bugzilla.novell.com/716992
   https://bugzilla.novell.com/725445
   https://bugzilla.novell.com/725466
   https://bugzilla.novell.com/725706
   https://bugzilla.novell.com/728934
   https://bugzilla.novell.com/729204
   https://bugzilla.novell.com/729273
   https://bugzilla.novell.com/729315
   https://bugzilla.novell.com/729675
   https://login.microfocus.com/nidp/app/login

SuSE: 2011:1324-1: critical: SUSE Studio Onsite 1.2 and kiwi

December 15, 2011
An update that solves 6 vulnerabilities and has 9 fixes is An update that solves 6 vulnerabilities and has 9 fixes is An update that solves 6 vulnerabilities and has 9 fixes is now...

Summary

   SUSE Security Update: Security update for SUSE Studio Onsite 1.2 and kiwi
______________________________________________________________________________

Announcement ID:    SUSE-SU-2011:1324-1
Rating:             critical
References:         #705694 #707637 #709572 #710392 #710403 #714755 
                    #716992 #725445 #725466 #725706 #728934 #729204 
                    #729273 #729315 #729675 
Cross-References:   CVE-2011-2225 CVE-2011-2226 CVE-2011-3180
                    CVE-2011-4192 CVE-2011-4193 CVE-2011-4195
                   
Affected Products:
                    SUSE Studio Onsite 1.2
                    SUSE Studio Extension for System z 1.2
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has 9 fixes is
   now available. It includes two new package versions.

Description:


   Fix for several vulnerabilities in SUSE Studio Onsite 1.2
   and kiwi:

   * CVE-2011-2225: The path of overlay files was not
   escaped which allowed shell meta character injection.
   * CVE-2011-2226: By using an untrusted software
   repository a user becomes vulnerable to a XSS attack when
   displaying pattern files (clicking "All patterns" in the
   software tab).
   * CVE-2011-3180: The path of overlay files was not
   escaped which allowed shell meta character injection via
   the chown(1) command-line. (kiwi)
   * CVE-2011-4195: The image name was not escaped
   properly and can be used in conjunction with other
   applications to execute arbitrary shell commands. (kiwi)
   * CVE-2011-4193: XSS vulnerability in "overlay files"
   tab can be used to execute arbitrary JavaScript code while
   cloning an appliance from an untrusted source.
   * CVE-2011-4192: Arbitrary shell command injection in
   conjunction with Studio by using double quotes in
   kiwi_oemtitle of .profile. (kiwi)

   In addition, the following non-security fixes were added:

   * Added SLE SDK repos to SLES-for-VMware templates
   * do not overwrite rmds.conf

   Security Issue references:

   * CVE-2011-2225
   
   * CVE-2011-2226
   
   * CVE-2011-3180
   
   * CVE-2011-4195
   
   * CVE-2011-4193
   
   * CVE-2011-4192
   

Indications:

   Please update.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Studio Onsite 1.2:

      zypper in -t patch slestso12-susestudio-201112-5535

   - SUSE Studio Extension for System z 1.2:

      zypper in -t patch slestso12-susestudio-201112-5535

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Studio Onsite 1.2 (x86_64) [New Version: 1.2.1 and 4.85.1]:

      kiwi4-4.85.1-0.22.9
      kiwi4-desc-isoboot-4.85.1-0.22.9
      kiwi4-desc-netboot-4.85.1-0.22.9
      kiwi4-desc-oemboot-4.85.1-0.22.9
      kiwi4-desc-vmxboot-4.85.1-0.22.9
      kiwi4-doc-4.85.1-0.22.9
      kiwi4-tools-4.85.1-0.22.9
      susestudio-1.2.1-0.26.1
      susestudio-clicfs-1.2.1-0.26.1
      susestudio-common-1.2.1-0.26.1
      susestudio-image-helpers-1.2.1-0.3.3
      susestudio-parted-1.2.1-0.26.1
      susestudio-rmds-1.2.1-0.26.1
      susestudio-runner-1.2.1-0.26.1
      susestudio-squashfs-1.2.1-0.26.1
      susestudio-thoth-1.2.1-0.26.1
      susestudio-ui-server-1.2.1-0.26.1

   - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 1.2.1 and 4.85.1]:

      kiwi4-4.85.1-0.22.9
      kiwi4-desc-oemboot-4.85.1-0.22.9
      kiwi4-desc-vmxboot-4.85.1-0.22.9
      kiwi4-tools-4.85.1-0.22.9
      susestudio-1.2.1-0.26.1
      susestudio-common-1.2.1-0.26.1
      susestudio-image-helpers-1.2.1-0.3.3
      susestudio-runner-1.2.1-0.26.1
      susestudio-ui-server-1.2.1-0.26.1


References:

   https://www.suse.com/security/cve/CVE-2011-2225.html
   https://www.suse.com/security/cve/CVE-2011-2226.html
   https://www.suse.com/security/cve/CVE-2011-3180.html
   https://www.suse.com/security/cve/CVE-2011-4192.html
   https://www.suse.com/security/cve/CVE-2011-4193.html
   https://www.suse.com/security/cve/CVE-2011-4195.html
   https://bugzilla.novell.com/705694
   https://bugzilla.novell.com/707637
   https://bugzilla.novell.com/709572
   https://bugzilla.novell.com/710392
   https://bugzilla.novell.com/710403
   https://bugzilla.novell.com/714755
   https://bugzilla.novell.com/716992
   https://bugzilla.novell.com/725445
   https://bugzilla.novell.com/725466
   https://bugzilla.novell.com/725706
   https://bugzilla.novell.com/728934
   https://bugzilla.novell.com/729204
   https://bugzilla.novell.com/729273
   https://bugzilla.novell.com/729315
   https://bugzilla.novell.com/729675
   https://login.microfocus.com/nidp/app/login

References

Severity

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved