Security update for rmt-server SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0185-1 Final 1 1 2019-03-23T10:59:47Z current 2019-03-23T10:59:47Z 2019-03-23T10:59:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rmt-server This update for rmt-server to version 1.1.1 fixes the following issues: The following issues have been fixed: - Fixed migration problems which caused some extensions / modules to be dropped (bsc#1118584, bsc#1118579) - Fixed listing of mirrored products (bsc#1102193) - Include online migration paths into offline migration (bsc#1117106) - Sync products that do not have a base product (bsc#1109307) - Fixed SLP auto discovery for RMT (bsc#1113760) Update dependencies for security fixes: - CVE-2018-16468: Update loofah to 2.2.3 (bsc#1113969) - CVE-2018-16470: Update rack to 2.0.6 (bsc#1114831) - CVE-2018-14404: Update nokogiri to 1.8.5 (bsc#1102046) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-185 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AV7P2XPVE2GW6NK2J7LPNFK4M3HRKL2B/#AV7P2XPVE2GW6NK2J7LPNFK4M3HRKL2B E-Mail link for openSUSE-SU-2019:0185-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1102046 SUSE Bug 1102046 https://bugzilla.suse.com/1102193 SUSE Bug 1102193 https://bugzilla.suse.com/1109307 SUSE Bug 1109307 https://bugzilla.suse.com/1113760 SUSE Bug 1113760 https://bugzilla.suse.com/1113969 SUSE Bug 1113969 https://bugzilla.suse.com/1114831 SUSE Bug 1114831 https://bugzilla.suse.com/1117106 SUSE Bug 1117106 https://bugzilla.suse.com/1118579 SUSE Bug 1118579 https://bugzilla.suse.com/1118584 SUSE Bug 1118584 https://www.suse.com/security/cve/CVE-2018-14404/ SUSE CVE CVE-2018-14404 page https://www.suse.com/security/cve/CVE-2018-16468/ SUSE CVE CVE-2018-16468 page https://www.suse.com/security/cve/CVE-2018-16470/ SUSE CVE CVE-2018-16470 page openSUSE Leap 15.0 rmt-server-1.1.1-lp150.2.12.1 rmt-server-pubcloud-1.1.1-lp150.2.12.1 rmt-server-1.1.1-lp150.2.12.1 as a component of openSUSE Leap 15.0 rmt-server-pubcloud-1.1.1-lp150.2.12.1 as a component of openSUSE Leap 15.0 A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. CVE-2018-14404 openSUSE Leap 15.0:rmt-server-1.1.1-lp150.2.12.1 openSUSE Leap 15.0:rmt-server-pubcloud-1.1.1-lp150.2.12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AV7P2XPVE2GW6NK2J7LPNFK4M3HRKL2B/#AV7P2XPVE2GW6NK2J7LPNFK4M3HRKL2B https://www.suse.com/security/cve/CVE-2018-14404.html CVE-2018-14404 https://bugzilla.suse.com/1102046 SUSE Bug 1102046 https://bugzilla.suse.com/1148896 SUSE Bug 1148896 In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. CVE-2018-16468 openSUSE Leap 15.0:rmt-server-1.1.1-lp150.2.12.1 openSUSE Leap 15.0:rmt-server-pubcloud-1.1.1-lp150.2.12.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AV7P2XPVE2GW6NK2J7LPNFK4M3HRKL2B/#AV7P2XPVE2GW6NK2J7LPNFK4M3HRKL2B https://www.suse.com/security/cve/CVE-2018-16468.html CVE-2018-16468 https://bugzilla.suse.com/1113969 SUSE Bug 1113969 There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. CVE-2018-16470 openSUSE Leap 15.0:rmt-server-1.1.1-lp150.2.12.1 openSUSE Leap 15.0:rmt-server-pubcloud-1.1.1-lp150.2.12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AV7P2XPVE2GW6NK2J7LPNFK4M3HRKL2B/#AV7P2XPVE2GW6NK2J7LPNFK4M3HRKL2B https://www.suse.com/security/cve/CVE-2018-16470.html CVE-2018-16470 https://bugzilla.suse.com/1114831 SUSE Bug 1114831