Network Security News Summary for Friday April 30th, 2021

From Python to .Net; PHP Composer; BadAlloc and RTOS;

From Python to .Net
https://isc.sans.edu/forums/diary/From+Python+to+Net/27366/

PHP Composer Vulnerability
https://blog.sonarsource.com/php-supply-chain-attack-on-composer

Microsoft Identifies Several Integer Overflow Vulnerablities
https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04

keywords: python; .Net; php; composer; microsoft; malloc; rtos; heapoverflow

The post Network Security News Summary for Friday April 30th, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/network-security-news-summary-for-friday-april-30th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-friday-april-30th-2021

Protecting the Hybrid Workforce – Fleming Shi – PSW #692

Fleming will cover the vulnerabilities of a hybrid workforce and how employees are now working from anywhere, not just their homes. Zero trust will play a large part in securing workforces in the future as well as password managers for corporate and personal use. He will expand his point of view on the topics in the prep call next week.

This segment is sponsored by Barracuda Networks.

Visit https://securityweekly.com/barracuda to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw692

The post Protecting the Hybrid Workforce – Fleming Shi – PSW #692 appeared first on Malware Devil.

https://malwaredevil.com/2021/04/30/protecting-the-hybrid-workforce-fleming-shi-psw-692/?utm_source=rss&utm_medium=rss&utm_campaign=protecting-the-hybrid-workforce-fleming-shi-psw-692

Department of Energy Launches 100-day Plan to Accelerate Cybersecurity Detection, Mitigation, and Response Capabilities Across Electric Utilities

On April 20, 2021 the U.S. Department of Energy (DOE) announced a 100-day plan to safeguard critical infrastructure from persistent and sophisticated threats. Working with the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), this initiative ultimately aims to establish a collective defense framework where security and threat data can be […]

The post Department of Energy Launches 100-day Plan to Accelerate Cybersecurity Detection, Mitigation, and Response Capabilities Across Electric Utilities appeared first on Forescout.

The post Department of Energy Launches 100-day Plan to Accelerate Cybersecurity Detection, Mitigation, and Response Capabilities Across Electric Utilities appeared first on Security Boulevard.

Read More

The post Department of Energy Launches 100-day Plan to Accelerate Cybersecurity Detection, Mitigation, and Response Capabilities Across Electric Utilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/department-of-energy-launches-100-day-plan-to-accelerate-cybersecurity-detection-mitigation-and-response-capabilities-across-electric-utilities/?utm_source=rss&utm_medium=rss&utm_campaign=department-of-energy-launches-100-day-plan-to-accelerate-cybersecurity-detection-mitigation-and-response-capabilities-across-electric-utilities

XDR Pushing Endpoint Detection and Response Technologies to Extinction

Ironically, EDR’s success has spawned demand for technology that extends beyond it.

The post XDR Pushing Endpoint Detection and Response Technologies to Extinction appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/xdr-pushing-endpoint-detection-and-response-technologies-to-extinction/?utm_source=rss&utm_medium=rss&utm_campaign=xdr-pushing-endpoint-detection-and-response-technologies-to-extinction

Babuk Ransomware Gang Mulls Retirement

The RaaS operators have been posting, tweaking and taking down a goodbye note, saying that they’ll be open-sourcing their data encryption malware for other crooks to use.
Read More

The post Babuk Ransomware Gang Mulls Retirement appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/babuk-ransomware-gang-mulls-retirement/?utm_source=rss&utm_medium=rss&utm_campaign=babuk-ransomware-gang-mulls-retirement

Researchers Connect Complex Specs to Software Vulnerabilities

Following their release of 70 different vulnerabilities in different implementations of TCP/IP stacks over the past year, two companies find a common link.

The post Researchers Connect Complex Specs to Software Vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/researchers-connect-complex-specs-to-software-vulnerabilities-2/?utm_source=rss&utm_medium=rss&utm_campaign=researchers-connect-complex-specs-to-software-vulnerabilities-2

Researchers Connect Complex Specs to Software Vulnerabilities

Following their release of 70 different vulnerabilities in different implementations of TCP/IP stacks over the past year, two companies find a common link.

Six common mistakes in implementing network software led to scores of vulnerabilities, highlighting the impact that complex design requirements and ambiguous specifications can have on software security, according to two security researchers who plan to talk about at next week’s Black Hat Asia conference.

Daniel dos Santos, research manager at network security firm Forescout, and Shlomi Oberman, CEO of security consultancy JSOF, will discuss their teams’ collaborative work on defining six anti-patterns, or common software mistakes, that have led to vulnerabilities in a variety of TCP/IP stacks. The two companies have disclosed a litany of vulnerabilities over the past year, many of them caused by one of the six anti-patterns.

Ambiguity and complexity in the DNS protocol has caused the issues, dos Santos says.

“Because of the complexity of the DNS specification, vulnerability types that we have known about for 20 years are appearing in implementations of network stacks,” he says. “The more complex the software or protocol gets, the more difficult the protocol is to implement, so we need to make them as least complex as possible, which is not always possible.”

Earlier this month, Forescout and JSOF disclosed nine vulnerabilities that affected four different TCP/IP stacks and could affect hundreds of millions of Internet of Things (IoT) and network devices. The vulnerabilities, dubbed “NAME:WRECK” by the companies, are the latest disclosures coming from their research into the vendor implementations that handle domain-name system (DNS) traffic. Their research, dubbed Project Memoria, also includes “Ripple20,” a set of 19 vulnerabilities that affected the Treck TCP/IP stack, among others; “AMNESIA:20,” a set of 33 vulnerabilities affecting four different open source TCP/IP stacks; and “NUMBER:JACK,” a set of nine vulnerabilities affecting implementations of initial sequence numbers (ISN).

The companies evaluated 15 different networking software implementations, often called a “stack,” and found seven had vulnerabilities due to errors in implementing a specific DNS feature.

“In Project Memoria, we learned that often the same mistake–anti-pattern–leads to similar vulnerabilities in different stacks,” the researchers stated in a technical report published earlier this month. “We urge developers of TCP/IP stacks that have–yet–been analyzed to take the anti-patterns … [and] check their code for the presence of bugs and fix them.”

The latest set of vulnerabilities occur in how different vendors implemented a DNS feature known as message compression. Because DNS responses often include the name of the specific domain several times, message compression allows software implementations to reduce the size of the DNS messages.

The researchers’ discussion at Black Hat Asia will focus on how complexity in the specification — specifically, the technical details to implement message compression — has led to a variety of different vulnerabilities. In one case, one word — “may” versus “must” — resulted in different security issues due to a single anti-pattern.

“It is noteworthy that when a stack has a vulnerable DNS client, there are often several vulnerabilities together, but the message compression anti-pattern stands out because it commonly leads to potential [remote code execution], as it is often associated with pointer manipulation and memory operations,” according to the report.

As part of their research, the companies have released a technical report that discuss the six DNS anti-patterns, an open source script to identify vulnerable devices in the network, a set of queries to search for vulnerable network devices, and an amended request for comment (RFC) draft that contains more information for developers on how to avoid certain implementation mistakes.

“This research is further proof that DNS protocol complexity leads to several vulnerable implementations and that the community should act to fix a problem that we believe is more widespread of what we currently know,” the companies stated in their report.

While the vulnerabilities have been disclosed and affected vendors have issued patches for the issues, dos Santos worries that patching will not happen swiftly.

“This type of research really highlights that there is a supply chain issue with IoT devices. Any vulnerability patched by a vendor still has to be deployed to the software,” he says. “But patching is difficult. Each device in your network may be vulnerable. Each probably has a different procedure to patch, and you have to take them offline.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

How the Rapid Shift to Remote Work Impacted IT Complexity and Post-Pandemic Security Priorities

More Webcasts

White Papers

Annual Cybercrime Report

Top Threats to Cloud Computing: The Egregious 11

More White Papers

Reports

We Need Your Input: Trends in Workforce Optimization

Improving Security by Moving Beyond VPN

More Reports

The post Researchers Connect Complex Specs to Software Vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/researchers-connect-complex-specs-to-software-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=researchers-connect-complex-specs-to-software-vulnerabilities

Strata Identity Brings Order to Identity Management Chaos

Strata Identity today announced the general availability of a platform for orchestrating the management of identities spanning multiple applications, directories and cloud services. Eric Olden, Strata Identity CEO, said the Maverics Identity Orchestration Platform provides IT organizations with a framework to declaratively implement and manage policies based on identities that is core to any zero-trust..

The post Strata Identity Brings Order to Identity Management Chaos appeared first on Security Boulevard.

Read More

The post Strata Identity Brings Order to Identity Management Chaos appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/strata-identity-brings-order-to-identity-management-chaos/?utm_source=rss&utm_medium=rss&utm_campaign=strata-identity-brings-order-to-identity-management-chaos

How to Find & Fix Mixed Content Issues with SSL / HTTPS

Note: We’ve updated this post to reflect the evolving security standards around mixed content, SSLs, and server access as a whole.

With the web’s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating on HTTP previously: Mixed content warnings.

Today, let’s look at these common errors, what causes them, and how you can fix them.

Continue reading How to Find & Fix Mixed Content Issues with SSL / HTTPS at Sucuri Blog.

The post How to Find & Fix Mixed Content Issues with SSL / HTTPS appeared first on Security Boulevard.

Read More

The post How to Find & Fix Mixed Content Issues with SSL / HTTPS appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/how-to-find-fix-mixed-content-issues-with-ssl-https/?utm_source=rss&utm_medium=rss&utm_campaign=how-to-find-fix-mixed-content-issues-with-ssl-https

Developer Training Checklist: 5 Best Practices

The role of the developer has evolved over the past several years. Developers are not only responsible for writing code and releasing new software rapidly but also for securing code. By implementing security in the software development lifecycle, you can reduce risk and cost without slowing down time to production.

But the developer role is already stretched so thin and many developers don???t have a background in security. How can you get developers up to speed on security measures in an engaging manner that doesn???t add too much extra work? And how can you ensure that your developers are successfully implementing the security learnings?

Leveraging findings from a recent Enterprise Strategy Group report, Modern Application Development Security, and tips from our Director of Development Enablement, Fletcher Heisler, we were able to establish a list of best practices to follow when training developers in security.

Make security training a real requirement. Developers are very busy. If they???re not required to take secure coding training, it???s highly unlikely that they will. So, make it part of their goals. And to ensure that they???re paying attention to the trainings, consider adding knowledge checks.

ﾂ?

Make sure the training is relevant and engaging. As Fletcher states in Four Fundamentals of Education The Sticks, use training tool like Security Labs that ???bring magic, adventure, and exploration back to security so that developers can actually explore when something goes wrong.??? And make sure the examples are relevant to the developer???s day-to-day work. The more realistic, the more serious they take the training.

ﾂ?

Measure the effectiveness of the training. Don???t just assume that developer training is working, track it. To ensure that your developers are implementing the learnings from their security training, you should track both issue introduction and continuous improvement metrics for both scrum teams and individual developers. By keeping track of these metrics, you can tailor future security trainings toward areas of weakness. [As you can see in the chart below from Enterprise Strategy Group, only 41 percent of organizations are tracking the continuous improvement of development teams.]ﾂ?

ﾂ?

???

ﾂ?

Offer a mix of training types. Not everyone learns the same way. Some developers might prefer instructor-led courses while others might like on-demand courses or hands-on training tools. It???s also important to keep in mind that developers likely have different levels of security knowledge. A new developer might need an introductory course to secure code training while a more experienced developer might benefit from a more technical course.

ﾂ?

Implement a security champions program. Many organizations benefit from implementing a security champions program. To start a security champions program, select interested volunteers from each development team and give them extra tools and training needed to be security experts on their scrum teams. They???ll be able to pass along their additional security skills to peers on their team.

ﾂ?

In fact, our customer Advantasure was able to train over 600 developers by implementing a security champions program. The security champions became security ambassadors on their scrum teams, making sure everyone was up-to-speed on their secure coding courses.

Keep these best practices top of mind by downloading our printer-friendly checklist, The Top 5 Best Practices for Developer Training.

The post Developer Training Checklist: 5 Best Practices appeared first on Security Boulevard.

Read More

The post Developer Training Checklist: 5 Best Practices appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/developer-training-checklist-5-best-practices/?utm_source=rss&utm_medium=rss&utm_campaign=developer-training-checklist-5-best-practices

F5 Big-IP Vulnerable to Security-Bypass Bug

The KDC-spoofing flaw tracked as CVE-2021-23008 can be used to bypass Kerberos security and sign into the Big-IP Access Policy Manager or admin console.
Read More

The post F5 Big-IP Vulnerable to Security-Bypass Bug appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/f5-big-ip-vulnerable-to-security-bypass-bug/?utm_source=rss&utm_medium=rss&utm_campaign=f5-big-ip-vulnerable-to-security-bypass-bug

API Hole on Experian Partner Site Exposes Credit Scores

Student researcher is concerned security gap may exist on many other sites.

The post API Hole on Experian Partner Site Exposes Credit Scores appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/api-hole-on-experian-partner-site-exposes-credit-scores-2/?utm_source=rss&utm_medium=rss&utm_campaign=api-hole-on-experian-partner-site-exposes-credit-scores-2

API Hole on Experian Partner Site Exposes Credit Scores

Subscribe to Newsletters

More Informa Tech Live Events

White Papers

Annual Cybercrime Report

What Elite Threat Hunters See That Others Miss: Case Study

How to Optimize Your Windows 10 Defense Strategy

Top Threats to Cloud Computing: The Egregious 11

From MFA to Zero Trust

More White Papers

Video

All Videos

Cartoon Contest

Write a Caption, Win an Amazon Gift Card! Click Here

Latest Comment: “I think he wants the wifi password.”

Cartoon Archive

Current Issue

2021 Top Enterprise IT TrendsWe’ve identified the key trends that are poised to impact the IT landscape in 2021. Find out why they’re important and how they will affect you today!

Back Issues | Must Reads

Flash Poll

All Polls

How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.

Download Now!

Assessing Cybersecurity Risk in Today’s Enterprises

0 comments

The Malware Threat Landscape

0 comments

How Data Breaches Affect the Enterprise (2020)

0 comments

More Reports

Twitter Feed

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database
CVE-2021-21417
PUBLISHED: 2021-04-29

fluidsynth is a software synthesizer based on the SoundFont 2 specifications. A use after free violation was discovered in fluidsynth, that can be triggered when loading an invalid SoundFont file.

CVE-2021-30048
PUBLISHED: 2021-04-29

Directory Traversal in the fileDownload function in com/java2nb/common/controller/FileController.java in Novel-plus (?????-plus) 3.5.1 allows attackers to read arbitrary files via the filePath parameter.

CVE-2021-31417
PUBLISHED: 2021-04-29

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exist…

CVE-2021-31418
PUBLISHED: 2021-04-29

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exist…

CVE-2021-31419
PUBLISHED: 2021-04-29

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.4-47270. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exist…

The post API Hole on Experian Partner Site Exposes Credit Scores appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/api-hole-on-experian-partner-site-exposes-credit-scores/?utm_source=rss&utm_medium=rss&utm_campaign=api-hole-on-experian-partner-site-exposes-credit-scores

🔴 LIVE: Paul’s Security Weekly #692

This week, first we welcome Fleming Shi, CTO at Barracuda Networks, followed by an interview with Fred Gordy, Director of Cybersecurity at Intelligent Buildings, and we round out the show with the Security News!

→Full Show Notes: https://securityweekly.com/psw692
→Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly

The post 🔴 LIVE: Paul’s Security Weekly #692 appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/%f0%9f%94%b4-live-pauls-security-weekly-692/?utm_source=rss&utm_medium=rss&utm_campaign=%25f0%259f%2594%25b4-live-pauls-security-weekly-692

Executive Order on Cybersecurity Is Imminent: It’s Been a Long Time Coming

Following President Biden???s address to Congress last night in which he referenced cybersecurity as a priority twice, news is circulating today that the executive order on cybersecurity is imminent. This news comes as a much awaited and long overdue step towards creating standardization and structure around cybersecurity.

Anne Neuberger, the deputy national security advisor for cyber and emerging technology, says the order will be like the National Transportation Safety Board, or NTSB, for cyber. ???What can we learn with regard to how we get advance warning of such incidents,??? she recently told reporters. She also notes that this executive order will be a starting point that should eventually trickle down to the consumer market as well. ???If we start incentivizing security, then companies, [and] the market will then inherently prioritize it because more people will buy the product,??? she says.

From my perspective, I am happy that this topic is finally coming full circle. In 2013, Chris Wysopal addressed this very topic in a keynote at RVASec where he discussed ???The Future of Government Sharing.???ﾂ?

In fact, Chris started creating awareness with the federal government 23 years ago when he and some colleagues from hacker thinktank the L0pht testified to Congress in efforts to expose the risks and threats of cybersecurity. Eight years later, I joined Chris when he launched Veracode to actually start solving the critical problem of software security ??? together we focused on helping developers and security teams on not just finding but also fixing vulnerabilities in their software (developed in-house, open source or third-party purchased).

Just last month on International Women???s Day, I sat down with The New York Times cybersecurity reporter Nicole Perlroth and OWASP board member Vandana Verma to discuss this topic at an RSA Conference Podcast ??? sharing that Veracode???s recent research revealed that 66 percent of applications fail to meet the OWASP Top 10 standards, meaning they have a major vulnerability. This highlights that there is work to be done and we must embed security testing into the software development lifecycle so, as developers write code, they write securely. In that discussion, Perlroth said, ???We can???t be trying to band-aid on these fixes after vulnerable code has already made its way to users, but also into critical infrastructure ??ｦ We need to think about security and security design from the start. We have to start bringing in security engineers from the very beginning.???

Part of making software more secure involves integrating security into the software development lifecycle and training developers. We should not expect secure code if we haven???t established clarity on what good looks like, equipped developers with the right guidance, the right knowledge, and the right tools.

The executive order has been a long time coming, and I hope it establishes what the right expectations and accountability should be. We must put structure and standardization around cyber and software security, and there are a number of great examples on how this has been done successfully. One of our customers, an educational software vendor, joined the Veracode Verified program in order to provide evidence of its security processes and be eligible to do business with the New York public school system. In other words, the buyer held the software developer accountable for demonstrating a secure software development process and through third-party testing, such as with the Veracode Verified program, they were able to do that.

Given the continued impact from breaches to the federal government and companies, it is time we address the issue with focus and vigor. We must establish a common standard for cybersecurity that addresses one of the primary root causes of breaches ??? vulnerabilities in software. As we live, work, and play in a digital world more and more, it is an imperative to do so, finally.

The post Executive Order on Cybersecurity Is Imminent: It’s Been a Long Time Coming appeared first on Security Boulevard.

Read More

The post Executive Order on Cybersecurity Is Imminent: It’s Been a Long Time Coming appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/executive-order-on-cybersecurity-is-imminent-its-been-a-long-time-coming/?utm_source=rss&utm_medium=rss&utm_campaign=executive-order-on-cybersecurity-is-imminent-its-been-a-long-time-coming

How Facebook Avoids Consequences for Crimes

Yet ANOTHER bone-head security screw-up at Facebook. ‘The authors never intended to publish this as a final document to the whole company, a Facebook spokesperson said in a statement. NEVER INTENDED. Intended? Does it matter what they intended? After this internal report went public (exposing how white nationalist violence was being facilitated) the Facebook decision … Continue reading How Facebook Avoids Consequences for Crimes →

The post How Facebook Avoids Consequences for Crimes appeared first on Security Boulevard.

Read More

The post How Facebook Avoids Consequences for Crimes appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/how-facebook-avoids-consequences-for-crimes/?utm_source=rss&utm_medium=rss&utm_campaign=how-facebook-avoids-consequences-for-crimes

‘BadAlloc’ Flaws Could Threaten IoT and OT Devices: Microsoft

More than 25 critical memory allocation bugs could enable attackers to bypass security controls in industrial, medical, and enterprise devices.

The post ‘BadAlloc’ Flaws Could Threaten IoT and OT Devices: Microsoft appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/badalloc-flaws-could-threaten-iot-and-ot-devices-microsoft-2/?utm_source=rss&utm_medium=rss&utm_campaign=badalloc-flaws-could-threaten-iot-and-ot-devices-microsoft-2

Barrett Lyon’s Opte, The Internet: 1997 – 2021

Permalink

The post Barrett Lyon’s Opte, The Internet: 1997 – 2021 appeared first on Security Boulevard.

Read More

The post Barrett Lyon’s Opte, The Internet: 1997 – 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/barrett-lyons-opte-the-internet-1997-2021/?utm_source=rss&utm_medium=rss&utm_campaign=barrett-lyons-opte-the-internet-1997-2021

ESB-2021.1464 – [SUSE] libnettle: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1464
Security update for libnettle
29 April 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: libnettle
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service — Remote/Unauthenticated
Access Confidential Data — Remote/Unauthenticated
Reduced Security — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20305

Reference: ESB-2021.1320
ESB-2021.1279
ESB-2021.1226

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211412-1
https://www.suse.com/support/update/announcement/2021/suse-su-20211399-1

Comment: This bulletin contains two (2) SUSE security advisories.

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security update for libnettle

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1412-1
Rating: important
References: #1184401
Cross-References: CVE-2021-20305
Affected Products:
SUSE MicroOS 5.0
SUSE Manager Server 4.0
SUSE Manager Retail Branch Server 4.0
SUSE Manager Proxy 4.0
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server for SAP 15
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise High Performance Computing 15-ESPOS
SUSE Enterprise Storage 6
SUSE CaaS Platform 4.0
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for libnettle fixes the following issues:

o CVE-2021-20305: Fixed the multiply function which was being called with
out-of-range scalars (bsc#1184401).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE MicroOS 5.0:
zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1412=1
o SUSE Manager Server 4.0:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1412=1
o SUSE Manager Retail Branch Server 4.0:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1412=1
o SUSE Manager Proxy 4.0:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1412=1
o SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1412=1
o SUSE Linux Enterprise Server for SAP 15:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1412=1
o SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1412=1
o SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1412=1
o SUSE Linux Enterprise Server 15-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1412=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1412=1
o SUSE Linux Enterprise Module for Basesystem 15-SP2:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1412=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1412=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1412=1
o SUSE Linux Enterprise High Performance Computing 15-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1412=1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1412=1
o SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2021-1412=1
o SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform ‘skuba’ tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.

Package List:

o SUSE MicroOS 5.0 (aarch64 x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Manager Server 4.0 (ppc64le s390x x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Manager Server 4.0 (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Manager Retail Branch Server 4.0 (x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Manager Proxy 4.0 (x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Server for SAP 15 (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x
x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64
x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64
x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE Enterprise Storage 6 (aarch64 x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1
o SUSE Enterprise Storage 6 (x86_64):
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
o SUSE CaaS Platform 4.0 (x86_64):
libhogweed4-3.4.1-4.15.1
libhogweed4-32bit-3.4.1-4.15.1
libhogweed4-32bit-debuginfo-3.4.1-4.15.1
libhogweed4-debuginfo-3.4.1-4.15.1
libnettle-debugsource-3.4.1-4.15.1
libnettle-devel-3.4.1-4.15.1
libnettle6-3.4.1-4.15.1
libnettle6-32bit-3.4.1-4.15.1
libnettle6-32bit-debuginfo-3.4.1-4.15.1
libnettle6-debuginfo-3.4.1-4.15.1

References:

o https://www.suse.com/security/cve/CVE-2021-20305.html
o https://bugzilla.suse.com/1184401

– ——————————————————————————–

SUSE Security Update: Security update for libnettle

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1399-1
Rating: important
References: #1183835 #1184401
Cross-References: CVE-2021-20305
Affected Products:
SUSE OpenStack Cloud Crowbar 9
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud 8
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE Linux Enterprise Server for SAP 12-SP4
SUSE Linux Enterprise Server for SAP 12-SP3
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server 12-SP4-LTSS
SUSE Linux Enterprise Server 12-SP3-LTSS
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP2-LTSS-SAP
SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON
SUSE Linux Enterprise Server 12-SP2-BCL
HPE Helion Openstack 8
______________________________________________________________________________

An update that solves one vulnerability and has one errata is now available.

Description:

This update for libnettle fixes the following issues:

o CVE-2021-20305: Fixed the multiply function which was being called with
out-of-range scalars (bsc#1184401, bsc#1183835).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1399=1
o SUSE OpenStack Cloud Crowbar 8:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1399=1
o SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1399=1
o SUSE OpenStack Cloud 8:
zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1399=1
o SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1399=1
o SUSE Linux Enterprise Server for SAP 12-SP4:
zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1399=1
o SUSE Linux Enterprise Server for SAP 12-SP3:
zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1399=1
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1399=1
o SUSE Linux Enterprise Server 12-SP4-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1399=1
o SUSE Linux Enterprise Server 12-SP3-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1399=1
o SUSE Linux Enterprise Server 12-SP3-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1399=1
o SUSE Linux Enterprise Server 12-SP2-LTSS-SAP:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1399=1
o SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1399=1
o SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1399=1
o HPE Helion Openstack 8:
zypper in -t patch HPE-Helion-OpenStack-8-2021-1399=1

Package List:

o SUSE OpenStack Cloud Crowbar 9 (x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE OpenStack Cloud Crowbar 8 (x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE OpenStack Cloud 9 (x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE OpenStack Cloud 8 (x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le
s390x x86_64):
libnettle-debugsource-2.7.1-13.3.1
libnettle-devel-2.7.1-13.3.1
o SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
o SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64):
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
o SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64):
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64):
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64):
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1
o HPE Helion Openstack 8 (x86_64):
libhogweed2-2.7.1-13.3.1
libhogweed2-32bit-2.7.1-13.3.1
libhogweed2-debuginfo-2.7.1-13.3.1
libhogweed2-debuginfo-32bit-2.7.1-13.3.1
libnettle-debugsource-2.7.1-13.3.1
libnettle4-2.7.1-13.3.1
libnettle4-32bit-2.7.1-13.3.1
libnettle4-debuginfo-2.7.1-13.3.1
libnettle4-debuginfo-32bit-2.7.1-13.3.1

References:

o https://www.suse.com/security/cve/CVE-2021-20305.html
o https://bugzilla.suse.com/1183835
o https://bugzilla.suse.com/1184401

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYIokTeNLKJtyKPYoAQjrixAAjoauRHSQsJV+3rhxn+yLIgrHq3dxhCvx
56UE8GuR7Q7hafWRZSk63Y5NI2erIggGDlxxHDVPtwCmAkoAc2U05JyNqLznp6sA
zO9XcKx3rgTyuIIotEMbspUdhb4MKqyS+tEUHPYicQLwXa2tBAinRhp90xoSNTut
jA4yZfYBiMcHIt0LWDWzp+zj2Qgwc9J+k7/xh3wFCWxKo/GmCHy4SgIY7yTuspxS
7uwJK73lRA0pNKSmPwRShhLakHyEh6bVRMKMdu4++8cCx2dP4JiGIBARkzYmOK8a
XFd1oodqTS/HTeAfxaY3c0I89Yq6AN45gB6K6jiSfGK9Q6KxNtaSOftbsuK8JCVJ
tmVDbbwkU0rdOz7B2lu37I6DqGiJTxC4tcKFe/Tv8Ir/cdh8JX+TjHoUqUENnBtn
BPcSkEb42Y74oHGvgvnkr9M1BSAj1LIED9e0VswB0ajR3WZ5rcewjdykADRolBMY
9UMJ1fWw7GBlWzd8ouBg93clNkfaTWFyXZCr2sP2JMWVq40IqK7Oh4B37LrLZf/B
Mu4fkoGL/brRCg3ccLNZNb9gy1lsuEqIPOG76qYTyMP1smj8Yw1JIZpP4bBkoAAZ
j0pGRSKdLG73NUlRTIVAtoCRrJ98fwG391pe3y1FgvyI14hWUGF5mtI7AMdWrerM
6zJ+GVByH3U=
=Tv81
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.1464 – [SUSE] libnettle: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/esb-2021-1464-suse-libnettle-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1464-suse-libnettle-multiple-vulnerabilities

ESB-2021.1465 – ALERT [UNIX/Linux][SUSE] librsvg: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1465
Security update for librsvg
29 April 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: librsvg
Publisher: SUSE
Operating System: SUSE
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Denial of Service — Remote/Unauthenticated
Access Confidential Data — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-25900

Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211408-1

Comment: This advisory references vulnerabilities in products which run on
platforms other than SUSE. It is recommended that administrators
running librsvg check for an updated version of the software for
their operating system.

– ————————–BEGIN INCLUDED TEXT——————–

SUSE Security Update: Security update for librsvg

______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1408-1
Rating: important
References: #1183403
Cross-References: CVE-2021-25900
Affected Products:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3
SUSE Linux Enterprise Module for Desktop Applications 15-SP2
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for librsvg fixes the following issues:

o librsvg was updated to 2.46.5: * Update dependent crates that had security
vulnerabilities: smallvec to 0.6.14 – RUSTSEC-2018-0003 – CVE-2021-25900
(bsc#1183403)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:

o SUSE Linux Enterprise Module for Desktop Applications 15-SP3:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1408=1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP2:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1408=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1408=1
o SUSE Linux Enterprise Module for Basesystem 15-SP2:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1408=1

Package List:

o SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64
ppc64le s390x x86_64):
librsvg-debugsource-2.46.5-3.3.1
librsvg-devel-2.46.5-3.3.1
typelib-1_0-Rsvg-2_0-2.46.5-3.3.1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64
ppc64le s390x x86_64):
librsvg-debugsource-2.46.5-3.3.1
librsvg-devel-2.46.5-3.3.1
typelib-1_0-Rsvg-2_0-2.46.5-3.3.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
gdk-pixbuf-loader-rsvg-2.46.5-3.3.1
gdk-pixbuf-loader-rsvg-debuginfo-2.46.5-3.3.1
librsvg-2-2-2.46.5-3.3.1
librsvg-2-2-debuginfo-2.46.5-3.3.1
librsvg-debugsource-2.46.5-3.3.1
o SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x
x86_64):
gdk-pixbuf-loader-rsvg-2.46.5-3.3.1
gdk-pixbuf-loader-rsvg-debuginfo-2.46.5-3.3.1
librsvg-2-2-2.46.5-3.3.1
librsvg-2-2-debuginfo-2.46.5-3.3.1
librsvg-debugsource-2.46.5-3.3.1

References:

o https://www.suse.com/security/cve/CVE-2021-25900.html
o https://bugzilla.suse.com/1183403

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYIom+ONLKJtyKPYoAQitTg//fyIHXSsIkNRBuN1BRq/bcVGLLDu+WE1z
Yr7lCvW1HqHNTw1zeHXlVuFWKVds4XkhLrC6FhdKmCitqJtuF0Zml+oobMIzZDKR
fiSN+Q66A8n5TmlXjhNFiVmhz5E6KhHLsAzUPeEyh8yh/4c61rJk9Wj7FFdIwH7q
/ckZn5C9KYaf/jdi+5J5L4HIHBUE3d2LrmyWaQNjLbvHl7mhg9NI8FJQnVr7QzdU
MI5E3Txd8xz64FXd0T0HxImSERTNB10ZEXfMG7MtOsGuMrC46I1tQN7s1A/NqULr
UuoQGZizuWgZXzh2mRhmMGz8j4nUIEv2avBFd4epylPnSVHVsy6lvn3novLpu88j
Y2g3vSBk85AulmT6xKadVafAp+5w3zrQrChSx3yubAkmPRsVuMlZqpFPG2ZSKeLd
tJqeoPGPfxjwHOkHVEjJ2nxJZ+nxsfx6XYEvsYdtoMedPmv4OCR11/Njf57DXYA4
9aEo3R9noscXPJ63PA+GSbVx7LM3W9weOfddhoPam9RrbEgprcdMS6SI+wA9zjry
nrSbx4vwKL+wmiX0W5VTUZFDfLeAAHeysyzuZi4Vxq14FRp5b54x4RH/ftsvxlzl
uqxwmqELUn/kygte9+cOHF5NvkSzFoOTpMSyRE1tkq0B1PbK2z+kkUX5Vnc58Acq
xKbDzrFk970=
=/vS9
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.1465 – ALERT [UNIX/Linux][SUSE] librsvg: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/04/29/esb-2021-1465-alert-unix-linuxsuse-librsvg-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1465-alert-unix-linuxsuse-librsvg-multiple-vulnerabilities