hawk2-2.6.4+git.1682509819.1ff135ea-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12952-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z hawk2-2.6.4+git.1682509819.1ff135ea-1.1 on GA media These are all security issues fixed in the hawk2-2.6.4+git.1682509819.1ff135ea-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12952 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-35458/ SUSE CVE CVE-2020-35458 page https://www.suse.com/security/cve/CVE-2020-35459/ SUSE CVE CVE-2020-35459 page https://www.suse.com/security/cve/CVE-2021-25314/ SUSE CVE CVE-2021-25314 page openSUSE Tumbleweed hawk2-2.6.4+git.1682509819.1ff135ea-1.1 hawk2-2.6.4+git.1682509819.1ff135ea-1.1 as a component of openSUSE Tumbleweed An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser. CVE-2020-35458 openSUSE Tumbleweed:hawk2-2.6.4+git.1682509819.1ff135ea-1.1 critical 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35458.html CVE-2020-35458 https://bugzilla.suse.com/1179998 SUSE Bug 1179998 An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. CVE-2020-35459 openSUSE Tumbleweed:hawk2-2.6.4+git.1682509819.1ff135ea-1.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35459.html CVE-2020-35459 https://bugzilla.suse.com/1179999 SUSE Bug 1179999 A Creation of Temporary File With Insecure Permissions vulnerability in hawk2 of SUSE Linux Enterprise High Availability 12-SP3, SUSE Linux Enterprise High Availability 12-SP5, SUSE Linux Enterprise High Availability 15-SP2 allows local attackers to escalate to root. This issue affects: SUSE Linux Enterprise High Availability 12-SP3 hawk2 versions prior to 2.6.3+git.1614685906.812c31e9. SUSE Linux Enterprise High Availability 12-SP5 hawk2 versions prior to 2.6.3+git.1614685906.812c31e9. SUSE Linux Enterprise High Availability 15-SP2 hawk2 versions prior to 2.6.3+git.1614684118.af555ad9. CVE-2021-25314 openSUSE Tumbleweed:hawk2-2.6.4+git.1682509819.1ff135ea-1.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-25314.html CVE-2021-25314 https://bugzilla.suse.com/1182166 SUSE Bug 1182166 https://bugzilla.suse.com/1183693 SUSE Bug 1183693