squashfs-4.5.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11986-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z squashfs-4.5.1-1.1 on GA media These are all security issues fixed in the squashfs-4.5.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11986 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-41072/ SUSE CVE CVE-2021-41072 page openSUSE Tumbleweed squashfs-4.5.1-1.1 squashfs-4.5.1-1.1 as a component of openSUSE Tumbleweed squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem. CVE-2021-41072 openSUSE Tumbleweed:squashfs-4.5.1-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41072.html CVE-2021-41072 https://bugzilla.suse.com/1189936 SUSE Bug 1189936