Security update for calamares SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2655-1 Final 1 1 2019-12-09T11:20:42Z current 2019-12-09T11:20:42Z 2019-12-09T11:20:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for calamares This update for calamares fixes the following issues: - Launch with 'pkexec calamares' in openSUSE Tumbleweed, but launch with 'xdg-su -c calamares' in openSUSE Leap 15. Update to Calamares 3.2.15: - 'displaymanager' module now treats 'sysconfig' as a regular entry in the 'displaymanagers' list, and the 'sysconfigSetup' key is used as a shorthand to force only that entry in the list. - 'machineid' module has been re-written in C++ and extended with a new configuration key to generate urandom pool data. - 'unpackfs' now supports a special 'sourcefs' value of file for copying single files (optionally with renaming) or directory trees to the target system. - 'unpackfs' now support an 'exclude' and 'excludeFile' setting for excluding particular files or patters from unpacking. Update to Calamares 3.2.14: - 'locale' module no longer recognizes the legacy GeoIP configuration. This has been deprecated since Calamares 3.2.8 and is now removed. - 'packagechooser' module can now be custom-labeled in the overall progress (left-hand column). - 'displaymanager' module now recognizes KDE Plasma 5.17. - 'displaymanager' module now can handle Wayland sessions and can detect sessions from their .desktop files. - 'unpackfs' now has special handling for sourcefs setting “file”. Update to Calamares 3.2.13. More about upstream changes: https://calamares.io/calamares-3.2.13-is-out/ and https://calamares.io/calamares-3.2.12-is-out/ Update to Calamares 3.2.11: - Fix race condition in modules/luksbootkeyfile/main.py (boo#1140256, CVE-2019-13178) - more about upstream changes in 3.2 versions can be found in https://calamares.io/ and https://github.com/calamares/calamares/releases This update was imported from the openSUSE:Leap:15.1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2655 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4TOLBXDJOI3P5ENJK3LMN4VDQM4USKW3/#4TOLBXDJOI3P5ENJK3LMN4VDQM4USKW3 E-Mail link for openSUSE-SU-2019:2655-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1140256 SUSE Bug 1140256 https://bugzilla.suse.com/1152377 SUSE Bug 1152377 https://www.suse.com/security/cve/CVE-2019-13178/ SUSE CVE CVE-2019-13178 page SUSE Package Hub 15 SP1 calamares-3.2.15-bp151.4.3.1 calamares-branding-upstream-3.2.15-bp151.4.3.1 calamares-webview-3.2.15-bp151.4.3.1 calamares-3.2.15-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 calamares-branding-upstream-3.2.15-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 calamares-webview-3.2.15-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 modules/luksbootkeyfile/main.py in Calamares versions 3.1 through 3.2.10 has a race condition between the time when the LUKS encryption keyfile is created and when secure permissions are set. CVE-2019-13178 SUSE Package Hub 15 SP1:calamares-3.2.15-bp151.4.3.1 SUSE Package Hub 15 SP1:calamares-branding-upstream-3.2.15-bp151.4.3.1 SUSE Package Hub 15 SP1:calamares-webview-3.2.15-bp151.4.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4TOLBXDJOI3P5ENJK3LMN4VDQM4USKW3/#4TOLBXDJOI3P5ENJK3LMN4VDQM4USKW3 https://www.suse.com/security/cve/CVE-2019-13178.html CVE-2019-13178 https://bugzilla.suse.com/1140256 SUSE Bug 1140256