obs-service-appimage-0.10.28.1632141620.a8837d3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11107 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z obs-service-appimage-0.10.28.1632141620.a8837d3-1.1 on GA media These are all security issues fixed in the obs-service-appimage-0.10.28.1632141620.a8837d3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11107 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11107 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-12473/ SUSE CVE CVE-2018-12473 page https://www.suse.com/security/cve/CVE-2018-12474/ SUSE CVE CVE-2018-12474 page https://www.suse.com/security/cve/CVE-2018-12476/ SUSE CVE CVE-2018-12476 page openSUSE Tumbleweed obs-service-appimage-0.10.28.1632141620.a8837d3-1.1 obs-service-obs_scm-0.10.28.1632141620.a8837d3-1.1 obs-service-obs_scm-common-0.10.28.1632141620.a8837d3-1.1 obs-service-snapcraft-0.10.28.1632141620.a8837d3-1.1 obs-service-tar-0.10.28.1632141620.a8837d3-1.1 obs-service-tar_scm-0.10.28.1632141620.a8837d3-1.1 obs-service-appimage-0.10.28.1632141620.a8837d3-1.1 as a component of openSUSE Tumbleweed obs-service-obs_scm-0.10.28.1632141620.a8837d3-1.1 as a component of openSUSE Tumbleweed obs-service-obs_scm-common-0.10.28.1632141620.a8837d3-1.1 as a component of openSUSE Tumbleweed obs-service-snapcraft-0.10.28.1632141620.a8837d3-1.1 as a component of openSUSE Tumbleweed obs-service-tar-0.10.28.1632141620.a8837d3-1.1 as a component of openSUSE Tumbleweed obs-service-tar_scm-0.10.28.1632141620.a8837d3-1.1 as a component of openSUSE Tumbleweed A path traversal traversal vulnerability in obs-service-tar_scm of Open Build Service allows remote attackers to cause access files not in the current build. On the server itself this is prevented by confining the worker via KVM. Affected releases are openSUSE Open Build Service: versions prior to 70d1aa4cc4d7b940180553a63805c22fc62e2cf0. CVE-2018-12473 openSUSE Tumbleweed:obs-service-appimage-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-obs_scm-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-obs_scm-common-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-snapcraft-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-tar-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-tar_scm-0.10.28.1632141620.a8837d3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12473.html CVE-2018-12473 https://bugzilla.suse.com/1105361 SUSE Bug 1105361 Improper input validation in obs-service-tar_scm of Open Build Service allows remote attackers to cause access and extract information outside the current build or cause the creation of file in attacker controlled locations. Affected releases are openSUSE Open Build Service: versions prior to 51a17c553b6ae2598820b7a90fd0c11502a49106. CVE-2018-12474 openSUSE Tumbleweed:obs-service-appimage-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-obs_scm-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-obs_scm-common-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-snapcraft-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-tar-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-tar_scm-0.10.28.1632141620.a8837d3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12474.html CVE-2018-12474 https://bugzilla.suse.com/1107507 SUSE Bug 1107507 Relative Path Traversal vulnerability in obs-service-tar_scm of SUSE Linux Enterprise Server 15; openSUSE Factory allows remote attackers with control over a repository to overwrite files on the machine of the local user if a malicious service is executed. This issue affects: SUSE Linux Enterprise Server 15 obs-service-tar_scm versions prior to 0.9.2.1537788075.fefaa74:. openSUSE Factory obs-service-tar_scm versions prior to 0.9.2.1537788075.fefaa74. CVE-2018-12476 openSUSE Tumbleweed:obs-service-appimage-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-obs_scm-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-obs_scm-common-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-snapcraft-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-tar-0.10.28.1632141620.a8837d3-1.1 openSUSE Tumbleweed:obs-service-tar_scm-0.10.28.1632141620.a8837d3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12476.html CVE-2018-12476 https://bugzilla.suse.com/1107944 SUSE Bug 1107944