libtcmu2-1.5.4-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11940 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libtcmu2-1.5.4-2.1 on GA media These are all security issues fixed in the libtcmu2-1.5.4-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11940 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11940 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-28374/ SUSE CVE CVE-2020-28374 page openSUSE Tumbleweed libtcmu2-1.5.4-2.1 tcmu-runner-1.5.4-2.1 tcmu-runner-handler-glusterfs-1.5.4-2.1 tcmu-runner-handler-rbd-1.5.4-2.1 tcmu-runner-handler-zbc-1.5.4-2.1 libtcmu2-1.5.4-2.1 as a component of openSUSE Tumbleweed tcmu-runner-1.5.4-2.1 as a component of openSUSE Tumbleweed tcmu-runner-handler-glusterfs-1.5.4-2.1 as a component of openSUSE Tumbleweed tcmu-runner-handler-rbd-1.5.4-2.1 as a component of openSUSE Tumbleweed tcmu-runner-handler-zbc-1.5.4-2.1 as a component of openSUSE Tumbleweed In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore. CVE-2020-28374 openSUSE Tumbleweed:libtcmu2-1.5.4-2.1 openSUSE Tumbleweed:tcmu-runner-1.5.4-2.1 openSUSE Tumbleweed:tcmu-runner-handler-glusterfs-1.5.4-2.1 openSUSE Tumbleweed:tcmu-runner-handler-rbd-1.5.4-2.1 openSUSE Tumbleweed:tcmu-runner-handler-zbc-1.5.4-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-28374.html CVE-2020-28374 https://bugzilla.suse.com/1178372 SUSE Bug 1178372 https://bugzilla.suse.com/1178684 SUSE Bug 1178684 https://bugzilla.suse.com/1180676 SUSE Bug 1180676