gdm-3.38.2-2.7 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10780 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z gdm-3.38.2-2.7 on GA media These are all security issues fixed in the gdm-3.38.2-2.7 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10780 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10780 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-12164/ SUSE CVE CVE-2017-12164 page https://www.suse.com/security/cve/CVE-2018-14424/ SUSE CVE CVE-2018-14424 page https://www.suse.com/security/cve/CVE-2019-3825/ SUSE CVE CVE-2019-3825 page openSUSE Tumbleweed gdm-3.38.2-2.7 gdm-branding-upstream-3.38.2-2.7 gdm-devel-3.38.2-2.7 gdm-lang-3.38.2-2.7 gdm-systemd-3.38.2-2.7 gdmflexiserver-3.38.2-2.7 libgdm1-3.38.2-2.7 typelib-1_0-Gdm-1_0-3.38.2-2.7 gdm-3.38.2-2.7 as a component of openSUSE Tumbleweed gdm-branding-upstream-3.38.2-2.7 as a component of openSUSE Tumbleweed gdm-devel-3.38.2-2.7 as a component of openSUSE Tumbleweed gdm-lang-3.38.2-2.7 as a component of openSUSE Tumbleweed gdm-systemd-3.38.2-2.7 as a component of openSUSE Tumbleweed gdmflexiserver-3.38.2-2.7 as a component of openSUSE Tumbleweed libgdm1-3.38.2-2.7 as a component of openSUSE Tumbleweed typelib-1_0-Gdm-1_0-3.38.2-2.7 as a component of openSUSE Tumbleweed A flaw was discovered in gdm 3.24.1 where gdm greeter was no longer setting the ran_once boolean during autologin. If autologin was enabled for a victim, an attacker could simply select 'login as another user' to unlock their screen. CVE-2017-12164 openSUSE Tumbleweed:gdm-3.38.2-2.7 openSUSE Tumbleweed:gdm-branding-upstream-3.38.2-2.7 openSUSE Tumbleweed:gdm-devel-3.38.2-2.7 openSUSE Tumbleweed:gdm-lang-3.38.2-2.7 openSUSE Tumbleweed:gdm-systemd-3.38.2-2.7 openSUSE Tumbleweed:gdmflexiserver-3.38.2-2.7 openSUSE Tumbleweed:libgdm1-3.38.2-2.7 openSUSE Tumbleweed:typelib-1_0-Gdm-1_0-3.38.2-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-12164.html CVE-2017-12164 https://bugzilla.suse.com/1058136 SUSE Bug 1058136 https://bugzilla.suse.com/1180206 SUSE Bug 1180206 The daemon in GDM through 3.29.1 does not properly unexport display objects from its D-Bus interface when they are destroyed, which allows a local attacker to trigger a use-after-free via a specially crafted sequence of D-Bus method calls, resulting in a denial of service or potential code execution. CVE-2018-14424 openSUSE Tumbleweed:gdm-3.38.2-2.7 openSUSE Tumbleweed:gdm-branding-upstream-3.38.2-2.7 openSUSE Tumbleweed:gdm-devel-3.38.2-2.7 openSUSE Tumbleweed:gdm-lang-3.38.2-2.7 openSUSE Tumbleweed:gdm-systemd-3.38.2-2.7 openSUSE Tumbleweed:gdmflexiserver-3.38.2-2.7 openSUSE Tumbleweed:libgdm1-3.38.2-2.7 openSUSE Tumbleweed:typelib-1_0-Gdm-1_0-3.38.2-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-14424.html CVE-2018-14424 https://bugzilla.suse.com/1103737 SUSE Bug 1103737 A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session. CVE-2019-3825 openSUSE Tumbleweed:gdm-3.38.2-2.7 openSUSE Tumbleweed:gdm-branding-upstream-3.38.2-2.7 openSUSE Tumbleweed:gdm-devel-3.38.2-2.7 openSUSE Tumbleweed:gdm-lang-3.38.2-2.7 openSUSE Tumbleweed:gdm-systemd-3.38.2-2.7 openSUSE Tumbleweed:gdmflexiserver-3.38.2-2.7 openSUSE Tumbleweed:libgdm1-3.38.2-2.7 openSUSE Tumbleweed:typelib-1_0-Gdm-1_0-3.38.2-2.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-3825.html CVE-2019-3825 https://bugzilla.suse.com/1124628 SUSE Bug 1124628