Security update for hawk2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0473-1 Final 1 1 2021-03-25T08:11:45Z current 2021-03-25T08:11:45Z 2021-03-25T08:11:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for hawk2 This update for hawk2 fixes the following issues: - Update to version 2.6.3: * Remove hawk_invoke and use capture3 instead of runas (bsc#1179999)(CVE-2020-35459) * Remove unnecessary chmod (bsc#1182166)(CVE-2021-25314) * Sanitize filename to contains whitelist of alphanumeric (bsc#1182165) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-473 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P6Y6RW5YXKZSLM7CRGCZD5EXRQATEN6Q/ E-Mail link for openSUSE-SU-2021:0473-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1179999 SUSE Bug 1179999 https://bugzilla.suse.com/1182165 SUSE Bug 1182165 https://bugzilla.suse.com/1182166 SUSE Bug 1182166 https://www.suse.com/security/cve/CVE-2020-35459/ SUSE CVE CVE-2020-35459 page https://www.suse.com/security/cve/CVE-2021-25314/ SUSE CVE CVE-2021-25314 page openSUSE Leap 15.2 hawk2-2.6.3+git.1614684118.af555ad9-lp152.2.18.1 hawk2-2.6.3+git.1614684118.af555ad9-lp152.2.18.1 as a component of openSUSE Leap 15.2 An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. CVE-2020-35459 openSUSE Leap 15.2:hawk2-2.6.3+git.1614684118.af555ad9-lp152.2.18.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P6Y6RW5YXKZSLM7CRGCZD5EXRQATEN6Q/ https://www.suse.com/security/cve/CVE-2020-35459.html CVE-2020-35459 https://bugzilla.suse.com/1179999 SUSE Bug 1179999 A Creation of Temporary File With Insecure Permissions vulnerability in hawk2 of SUSE Linux Enterprise High Availability 12-SP3, SUSE Linux Enterprise High Availability 12-SP5, SUSE Linux Enterprise High Availability 15-SP2 allows local attackers to escalate to root. This issue affects: SUSE Linux Enterprise High Availability 12-SP3 hawk2 versions prior to 2.6.3+git.1614685906.812c31e9. SUSE Linux Enterprise High Availability 12-SP5 hawk2 versions prior to 2.6.3+git.1614685906.812c31e9. SUSE Linux Enterprise High Availability 15-SP2 hawk2 versions prior to 2.6.3+git.1614684118.af555ad9. CVE-2021-25314 openSUSE Leap 15.2:hawk2-2.6.3+git.1614684118.af555ad9-lp152.2.18.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P6Y6RW5YXKZSLM7CRGCZD5EXRQATEN6Q/ https://www.suse.com/security/cve/CVE-2021-25314.html CVE-2021-25314 https://bugzilla.suse.com/1182166 SUSE Bug 1182166 https://bugzilla.suse.com/1183693 SUSE Bug 1183693