Security update for ksh SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2756-1 Final 1 1 2024-08-05T19:57:56Z current 2024-08-05T19:57:56Z 2024-08-05T19:57:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ksh This update for ksh fixes the following issues: - CVE-2019-14868: Fixed code injection due to environment variables on startup interpreted as arithmetic expression (bsc#1160796) Other fixes: - do not use posix_spawn as it lacks proper job handling (bsc#1224057) - fix segfault in variable substitution (bsc#1129288) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-BYOS-2024-2756,Image SLES12-SP5-Azure-HPC-BYOS-2024-2756,Image SLES12-SP5-Azure-HPC-On-Demand-2024-2756,Image SLES12-SP5-Azure-SAP-BYOS-2024-2756,Image SLES12-SP5-Azure-SAP-On-Demand-2024-2756,Image SLES12-SP5-Azure-Standard-On-Demand-2024-2756,Image SLES12-SP5-EC2-BYOS-2024-2756,Image SLES12-SP5-EC2-On-Demand-2024-2756,Image SLES12-SP5-EC2-SAP-BYOS-2024-2756,Image SLES12-SP5-EC2-SAP-On-Demand-2024-2756,Image SLES12-SP5-GCE-BYOS-2024-2756,Image SLES12-SP5-GCE-On-Demand-2024-2756,Image SLES12-SP5-GCE-SAP-BYOS-2024-2756,Image SLES12-SP5-GCE-SAP-On-Demand-2024-2756,Image SLES12-SP5-SAP-Azure-LI-BYOS-Production-2024-2756,Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production-2024-2756,SUSE-2024-2756,SUSE-SLE-Module-Legacy-12-2024-2756,SUSE-SLE-SDK-12-SP5-2024-2756 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242756-1/ Link for SUSE-SU-2024:2756-1 https://lists.suse.com/pipermail/sle-updates/2024-August/036291.html E-Mail link for SUSE-SU-2024:2756-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1129288 SUSE Bug 1129288 https://bugzilla.suse.com/1160796 SUSE Bug 1160796 https://bugzilla.suse.com/1224057 SUSE Bug 1224057 https://www.suse.com/security/cve/CVE-2019-14868/ SUSE CVE CVE-2019-14868 page Image SLES12-SP5-Azure-BYOS Image SLES12-SP5-Azure-HPC-BYOS Image SLES12-SP5-Azure-HPC-On-Demand Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-Azure-Standard-On-Demand Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-EC2-SAP-On-Demand Image SLES12-SP5-GCE-BYOS Image SLES12-SP5-GCE-On-Demand Image SLES12-SP5-GCE-SAP-BYOS Image SLES12-SP5-GCE-SAP-On-Demand Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise Module for Legacy 12 SUSE Linux Enterprise Software Development Kit 12 SP5 ksh-93vu-19.3.2 ksh-devel-93vu-19.3.2 ksh-93vu-19.3.2 as a component of Image SLES12-SP5-Azure-BYOS ksh-93vu-19.3.2 as a component of Image SLES12-SP5-Azure-HPC-BYOS ksh-93vu-19.3.2 as a component of Image SLES12-SP5-Azure-HPC-On-Demand ksh-93vu-19.3.2 as a component of Image SLES12-SP5-Azure-SAP-BYOS ksh-93vu-19.3.2 as a component of Image SLES12-SP5-Azure-SAP-On-Demand ksh-93vu-19.3.2 as a component of Image SLES12-SP5-Azure-Standard-On-Demand ksh-93vu-19.3.2 as a component of Image SLES12-SP5-EC2-BYOS ksh-93vu-19.3.2 as a component of Image SLES12-SP5-EC2-On-Demand ksh-93vu-19.3.2 as a component of Image SLES12-SP5-EC2-SAP-BYOS ksh-93vu-19.3.2 as a component of Image SLES12-SP5-EC2-SAP-On-Demand ksh-93vu-19.3.2 as a component of Image SLES12-SP5-GCE-BYOS ksh-93vu-19.3.2 as a component of Image SLES12-SP5-GCE-On-Demand ksh-93vu-19.3.2 as a component of Image SLES12-SP5-GCE-SAP-BYOS ksh-93vu-19.3.2 as a component of Image SLES12-SP5-GCE-SAP-On-Demand ksh-93vu-19.3.2 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production ksh-93vu-19.3.2 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production ksh-93vu-19.3.2 as a component of SUSE Linux Enterprise Module for Legacy 12 ksh-devel-93vu-19.3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely. CVE-2019-14868 Image SLES12-SP5-Azure-BYOS:ksh-93vu-19.3.2 Image SLES12-SP5-Azure-HPC-BYOS:ksh-93vu-19.3.2 Image SLES12-SP5-Azure-HPC-On-Demand:ksh-93vu-19.3.2 Image SLES12-SP5-Azure-SAP-BYOS:ksh-93vu-19.3.2 Image SLES12-SP5-Azure-SAP-On-Demand:ksh-93vu-19.3.2 Image SLES12-SP5-Azure-Standard-On-Demand:ksh-93vu-19.3.2 Image SLES12-SP5-EC2-BYOS:ksh-93vu-19.3.2 Image SLES12-SP5-EC2-On-Demand:ksh-93vu-19.3.2 Image SLES12-SP5-EC2-SAP-BYOS:ksh-93vu-19.3.2 Image SLES12-SP5-EC2-SAP-On-Demand:ksh-93vu-19.3.2 Image SLES12-SP5-GCE-BYOS:ksh-93vu-19.3.2 Image SLES12-SP5-GCE-On-Demand:ksh-93vu-19.3.2 Image SLES12-SP5-GCE-SAP-BYOS:ksh-93vu-19.3.2 Image SLES12-SP5-GCE-SAP-On-Demand:ksh-93vu-19.3.2 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:ksh-93vu-19.3.2 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:ksh-93vu-19.3.2 SUSE Linux Enterprise Module for Legacy 12:ksh-93vu-19.3.2 SUSE Linux Enterprise Software Development Kit 12 SP5:ksh-devel-93vu-19.3.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242756-1/ https://www.suse.com/security/cve/CVE-2019-14868.html CVE-2019-14868 https://bugzilla.suse.com/1160796 SUSE Bug 1160796