Security update for hawk2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0942-1 Final 1 1 2021-03-24T11:26:26Z current 2021-03-24T11:26:26Z 2021-03-24T11:26:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for hawk2 This update for hawk2 fixes the following issues: - Update to version 2.6.3: * Remove hawk_invoke and use capture3 instead of runas (bsc#1179999)(CVE-2020-35459) * Remove unnecessary chmod (bsc#1182166)(CVE-2021-25314) * Sanitize filename to contains whitelist of alphanumeric (bsc#1182165) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-SAP-BYOS-2021-942,Image SLES12-SP5-Azure-SAP-On-Demand-2021-942,Image SLES12-SP5-EC2-SAP-BYOS-2021-942,Image SLES12-SP5-EC2-SAP-On-Demand-2021-942,Image SLES12-SP5-GCE-SAP-BYOS-2021-942,Image SLES12-SP5-GCE-SAP-On-Demand-2021-942,Image SLES12-SP5-OCI-BYOS-SAP-BYOS-2021-942,Image SLES12-SP5-SAP-Azure-LI-BYOS-Production-2021-942,Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production-2021-942,SUSE-2021-942,SUSE-SLE-HA-12-SP4-2021-942,SUSE-SLE-HA-12-SP5-2021-942 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210942-1/ Link for SUSE-SU-2021:0942-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008544.html E-Mail link for SUSE-SU-2021:0942-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1179999 SUSE Bug 1179999 https://bugzilla.suse.com/1182165 SUSE Bug 1182165 https://bugzilla.suse.com/1182166 SUSE Bug 1182166 https://www.suse.com/security/cve/CVE-2020-35459/ SUSE CVE CVE-2020-35459 page https://www.suse.com/security/cve/CVE-2021-25314/ SUSE CVE CVE-2021-25314 page Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-EC2-SAP-On-Demand Image SLES12-SP5-GCE-SAP-BYOS Image SLES12-SP5-GCE-SAP-On-Demand Image SLES12-SP5-OCI-BYOS-SAP-BYOS Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise High Availability Extension 12 SP4 SUSE Linux Enterprise High Availability Extension 12 SP5 hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of Image SLES12-SP5-Azure-SAP-BYOS hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of Image SLES12-SP5-Azure-SAP-On-Demand hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of Image SLES12-SP5-EC2-SAP-BYOS hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of Image SLES12-SP5-EC2-SAP-On-Demand hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of Image SLES12-SP5-GCE-SAP-BYOS hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of Image SLES12-SP5-GCE-SAP-On-Demand hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of Image SLES12-SP5-OCI-BYOS-SAP-BYOS hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP4 hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 as a component of SUSE Linux Enterprise High Availability Extension 12 SP5 An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. CVE-2020-35459 Image SLES12-SP5-Azure-SAP-BYOS:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-Azure-SAP-On-Demand:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-EC2-SAP-BYOS:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-EC2-SAP-On-Demand:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-GCE-SAP-BYOS:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-GCE-SAP-On-Demand:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-OCI-BYOS-SAP-BYOS:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 SUSE Linux Enterprise High Availability Extension 12 SP4:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 SUSE Linux Enterprise High Availability Extension 12 SP5:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210942-1/ https://www.suse.com/security/cve/CVE-2020-35459.html CVE-2020-35459 https://bugzilla.suse.com/1179999 SUSE Bug 1179999 A Creation of Temporary File With Insecure Permissions vulnerability in hawk2 of SUSE Linux Enterprise High Availability 12-SP3, SUSE Linux Enterprise High Availability 12-SP5, SUSE Linux Enterprise High Availability 15-SP2 allows local attackers to escalate to root. This issue affects: SUSE Linux Enterprise High Availability 12-SP3 hawk2 versions prior to 2.6.3+git.1614685906.812c31e9. SUSE Linux Enterprise High Availability 12-SP5 hawk2 versions prior to 2.6.3+git.1614685906.812c31e9. SUSE Linux Enterprise High Availability 15-SP2 hawk2 versions prior to 2.6.3+git.1614684118.af555ad9. CVE-2021-25314 Image SLES12-SP5-Azure-SAP-BYOS:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-Azure-SAP-On-Demand:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-EC2-SAP-BYOS:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-EC2-SAP-On-Demand:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-GCE-SAP-BYOS:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-GCE-SAP-On-Demand:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-OCI-BYOS-SAP-BYOS:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 SUSE Linux Enterprise High Availability Extension 12 SP4:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 SUSE Linux Enterprise High Availability Extension 12 SP5:hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210942-1/ https://www.suse.com/security/cve/CVE-2021-25314.html CVE-2021-25314 https://bugzilla.suse.com/1182166 SUSE Bug 1182166 https://bugzilla.suse.com/1183693 SUSE Bug 1183693