Security update for rmt-server SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2280-1 Final 1 1 2023-05-24T07:55:54Z current 2023-05-24T07:55:54Z 2023-05-24T07:55:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rmt-server This update for rmt-server fixes the following issues: Updated to version 2.13: - CVE-2023-28120: Fixed a potential XSS issue in an embedded dependency (bsc#1209507). - CVE-2023-27530: Fixed a denial of service issue in multipart request parsing (bsc#1209096). Non-security fixes: - Fixed transactional update on GCE (bsc#1211398). - Use HTTPS in rmt-client-setup-res (bsc#1209825). - Various build fixes (bsc#1207670, bsc#1203171, bsc#1206593, bsc#1202053). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2280,SUSE-SLE-Module-Public-Cloud-15-SP3-2023-2280,SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-2280,SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-2280,SUSE-SLE-Product-RT-15-SP3-2023-2280,SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-2280,SUSE-SLE-Product-SLES_SAP-15-SP3-2023-2280,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-2280,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-2280,SUSE-Storage-7.1-2023-2280 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232280-1/ Link for SUSE-SU-2023:2280-1 https://lists.suse.com/pipermail/sle-security-updates/2023-May/014955.html E-Mail link for SUSE-SU-2023:2280-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1202053 SUSE Bug 1202053 https://bugzilla.suse.com/1203171 SUSE Bug 1203171 https://bugzilla.suse.com/1206593 SUSE Bug 1206593 https://bugzilla.suse.com/1207670 SUSE Bug 1207670 https://bugzilla.suse.com/1209096 SUSE Bug 1209096 https://bugzilla.suse.com/1209507 SUSE Bug 1209507 https://bugzilla.suse.com/1209825 SUSE Bug 1209825 https://bugzilla.suse.com/1211398 SUSE Bug 1211398 https://www.suse.com/security/cve/CVE-2023-27530/ SUSE CVE CVE-2023-27530 page https://www.suse.com/security/cve/CVE-2023-28120/ SUSE CVE CVE-2023-28120 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Server 4.2 rmt-server-2.13-150300.3.24.1 rmt-server-config-2.13-150300.3.24.1 rmt-server-pubcloud-2.13-150300.3.24.1 rmt-server-2.13-150300.3.24.1 as a component of SUSE Enterprise Storage 7.1 rmt-server-config-2.13-150300.3.24.1 as a component of SUSE Enterprise Storage 7.1 rmt-server-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS rmt-server-config-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS rmt-server-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS rmt-server-config-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS rmt-server-pubcloud-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP3 rmt-server-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise Real Time 15 SP3 rmt-server-config-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise Real Time 15 SP3 rmt-server-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS rmt-server-config-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS rmt-server-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 rmt-server-config-2.13-150300.3.24.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 rmt-server-2.13-150300.3.24.1 as a component of SUSE Manager Proxy 4.2 rmt-server-config-2.13-150300.3.24.1 as a component of SUSE Manager Proxy 4.2 rmt-server-2.13-150300.3.24.1 as a component of SUSE Manager Server 4.2 rmt-server-config-2.13-150300.3.24.1 as a component of SUSE Manager Server 4.2 A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. CVE-2023-27530 SUSE Enterprise Storage 7.1:rmt-server-2.13-150300.3.24.1 SUSE Enterprise Storage 7.1:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise Module for Public Cloud 15 SP3:rmt-server-pubcloud-2.13-150300.3.24.1 SUSE Linux Enterprise Real Time 15 SP3:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise Real Time 15 SP3:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:rmt-server-config-2.13-150300.3.24.1 SUSE Manager Proxy 4.2:rmt-server-2.13-150300.3.24.1 SUSE Manager Proxy 4.2:rmt-server-config-2.13-150300.3.24.1 SUSE Manager Server 4.2:rmt-server-2.13-150300.3.24.1 SUSE Manager Server 4.2:rmt-server-config-2.13-150300.3.24.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232280-1/ https://www.suse.com/security/cve/CVE-2023-27530.html CVE-2023-27530 https://bugzilla.suse.com/1209095 SUSE Bug 1209095 There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. CVE-2023-28120 SUSE Enterprise Storage 7.1:rmt-server-2.13-150300.3.24.1 SUSE Enterprise Storage 7.1:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise Module for Public Cloud 15 SP3:rmt-server-pubcloud-2.13-150300.3.24.1 SUSE Linux Enterprise Real Time 15 SP3:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise Real Time 15 SP3:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise Server 15 SP3-LTSS:rmt-server-config-2.13-150300.3.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:rmt-server-2.13-150300.3.24.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:rmt-server-config-2.13-150300.3.24.1 SUSE Manager Proxy 4.2:rmt-server-2.13-150300.3.24.1 SUSE Manager Proxy 4.2:rmt-server-config-2.13-150300.3.24.1 SUSE Manager Server 4.2:rmt-server-2.13-150300.3.24.1 SUSE Manager Server 4.2:rmt-server-config-2.13-150300.3.24.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232280-1/ https://www.suse.com/security/cve/CVE-2023-28120.html CVE-2023-28120 https://bugzilla.suse.com/1209505 SUSE Bug 1209505