govulncheck-vulndb-0.0.20241121T195252-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14519-1 Final 1 1 2024-11-23T00:00:00Z current 2024-11-23T00:00:00Z 2024-11-23T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z govulncheck-vulndb-0.0.20241121T195252-1.1 on GA media These are all security issues fixed in the govulncheck-vulndb-0.0.20241121T195252-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14519 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FNC2B63TAEEYGQ7XDBRHH6KDG7VDWO65/ E-Mail link for openSUSE-SU-2024:14519-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-52280/ SUSE CVE CVE-2024-52280 page https://www.suse.com/security/cve/CVE-2024-52282/ SUSE CVE CVE-2024-52282 page https://www.suse.com/security/cve/CVE-2024-52309/ SUSE CVE CVE-2024-52309 page openSUSE Tumbleweed govulncheck-vulndb-0.0.20241121T195252-1.1 govulncheck-vulndb-0.0.20241121T195252-1.1 as a component of openSUSE Tumbleweed ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2024-52280 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241121T195252-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FNC2B63TAEEYGQ7XDBRHH6KDG7VDWO65/ https://www.suse.com/security/cve/CVE-2024-52280.html CVE-2024-52280 https://bugzilla.suse.com/1233077 SUSE Bug 1233077 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2024-52282 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241121T195252-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FNC2B63TAEEYGQ7XDBRHH6KDG7VDWO65/ https://www.suse.com/security/cve/CVE-2024-52282.html CVE-2024-52282 https://bugzilla.suse.com/1233495 SUSE Bug 1233495 SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. To avoid this confusion, running system commands is disabled by default in 2.6.3, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI. CVE-2024-52309 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241121T195252-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FNC2B63TAEEYGQ7XDBRHH6KDG7VDWO65/ https://www.suse.com/security/cve/CVE-2024-52309.html CVE-2024-52309