NetworkManager-1.32.10-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10602-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z NetworkManager-1.32.10-2.1 on GA media These are all security issues fixed in the NetworkManager-1.32.10-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10602 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-1000135/ SUSE CVE CVE-2018-1000135 page https://www.suse.com/security/cve/CVE-2018-15688/ SUSE CVE CVE-2018-15688 page https://www.suse.com/security/cve/CVE-2020-10754/ SUSE CVE CVE-2020-10754 page https://www.suse.com/security/cve/CVE-2020-13529/ SUSE CVE CVE-2020-13529 page https://www.suse.com/security/cve/CVE-2021-20297/ SUSE CVE CVE-2021-20297 page openSUSE Tumbleweed NetworkManager-1.32.10-2.1 NetworkManager-branding-upstream-1.32.10-2.1 NetworkManager-devel-1.32.10-2.1 NetworkManager-devel-32bit-1.32.10-2.1 NetworkManager-lang-1.32.10-2.1 libnm0-1.32.10-2.1 libnm0-32bit-1.32.10-2.1 typelib-1_0-NM-1_0-1.32.10-2.1 NetworkManager-1.32.10-2.1 as a component of openSUSE Tumbleweed NetworkManager-branding-upstream-1.32.10-2.1 as a component of openSUSE Tumbleweed NetworkManager-devel-1.32.10-2.1 as a component of openSUSE Tumbleweed NetworkManager-devel-32bit-1.32.10-2.1 as a component of openSUSE Tumbleweed NetworkManager-lang-1.32.10-2.1 as a component of openSUSE Tumbleweed libnm0-1.32.10-2.1 as a component of openSUSE Tumbleweed libnm0-32bit-1.32.10-2.1 as a component of openSUSE Tumbleweed typelib-1_0-NM-1_0-1.32.10-2.1 as a component of openSUSE Tumbleweed GNOME NetworkManager version 1.10.2 and earlier contains a Information Exposure (CWE-200) vulnerability in DNS resolver that can result in Private DNS queries leaked to local network's DNS servers, while on VPN. This vulnerability appears to have been fixed in Some Ubuntu 16.04 packages were fixed, but later updates removed the fix. cf. https://bugs.launchpad.net/ubuntu/+bug/1754671 an upstream fix does not appear to be available at this time. CVE-2018-1000135 openSUSE Tumbleweed:NetworkManager-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-branding-upstream-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-32bit-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-lang-1.32.10-2.1 openSUSE Tumbleweed:libnm0-1.32.10-2.1 openSUSE Tumbleweed:libnm0-32bit-1.32.10-2.1 openSUSE Tumbleweed:typelib-1_0-NM-1_0-1.32.10-2.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000135.html CVE-2018-1000135 https://bugzilla.suse.com/1086263 SUSE Bug 1086263 A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239. CVE-2018-15688 openSUSE Tumbleweed:NetworkManager-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-branding-upstream-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-32bit-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-lang-1.32.10-2.1 openSUSE Tumbleweed:libnm0-1.32.10-2.1 openSUSE Tumbleweed:libnm0-32bit-1.32.10-2.1 openSUSE Tumbleweed:typelib-1_0-NM-1_0-1.32.10-2.1 important 5.8 AV:A/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-15688.html CVE-2018-15688 https://bugzilla.suse.com/1113632 SUSE Bug 1113632 https://bugzilla.suse.com/1113668 SUSE Bug 1113668 https://bugzilla.suse.com/1113669 SUSE Bug 1113669 It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely. CVE-2020-10754 openSUSE Tumbleweed:NetworkManager-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-branding-upstream-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-32bit-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-lang-1.32.10-2.1 openSUSE Tumbleweed:libnm0-1.32.10-2.1 openSUSE Tumbleweed:libnm0-32bit-1.32.10-2.1 openSUSE Tumbleweed:typelib-1_0-NM-1_0-1.32.10-2.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10754.html CVE-2020-10754 https://bugzilla.suse.com/1172457 SUSE Bug 1172457 An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server. CVE-2020-13529 openSUSE Tumbleweed:NetworkManager-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-branding-upstream-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-32bit-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-lang-1.32.10-2.1 openSUSE Tumbleweed:libnm0-1.32.10-2.1 openSUSE Tumbleweed:libnm0-32bit-1.32.10-2.1 openSUSE Tumbleweed:typelib-1_0-NM-1_0-1.32.10-2.1 moderate 2.9 AV:A/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-13529.html CVE-2020-13529 https://bugzilla.suse.com/1185972 SUSE Bug 1185972 A flaw was found in NetworkManager in versions before 1.30.0. Setting match.path and activating a profile crashes NetworkManager. The highest threat from this vulnerability is to system availability. CVE-2021-20297 openSUSE Tumbleweed:NetworkManager-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-branding-upstream-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-devel-32bit-1.32.10-2.1 openSUSE Tumbleweed:NetworkManager-lang-1.32.10-2.1 openSUSE Tumbleweed:libnm0-1.32.10-2.1 openSUSE Tumbleweed:libnm0-32bit-1.32.10-2.1 openSUSE Tumbleweed:typelib-1_0-NM-1_0-1.32.10-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-20297.html CVE-2021-20297 https://bugzilla.suse.com/1184433 SUSE Bug 1184433