Security update for rmt-server SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2295-1 Final 1 1 2023-05-25T07:56:07Z current 2023-05-25T07:56:07Z 2023-05-25T07:56:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rmt-server This update for rmt-server fixes the following issues: Updated to version 2.13: - CVE-2023-28120: Fixed a potential XSS issue in an embedded dependency (bsc#1209507). - CVE-2023-27530: Fixed a denial of service issue in multipart request parsing (bsc#1209096). Non-security fixes: - Fixed transactional update on GCE (bsc#1211398). - Use HTTPS in rmt-client-setup-res (bsc#1209825). - Various build fixes (bsc#1207670, bsc#1203171, bsc#1206593, bsc#1202053). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2295,SUSE-SLE-Module-Public-Cloud-15-SP4-2023-2295,SUSE-SLE-Module-Server-Applications-15-SP4-2023-2295,openSUSE-SLE-15.4-2023-2295 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232295-1/ Link for SUSE-SU-2023:2295-1 https://lists.suse.com/pipermail/sle-security-updates/2023-May/014983.html E-Mail link for SUSE-SU-2023:2295-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1202053 SUSE Bug 1202053 https://bugzilla.suse.com/1203171 SUSE Bug 1203171 https://bugzilla.suse.com/1206593 SUSE Bug 1206593 https://bugzilla.suse.com/1207670 SUSE Bug 1207670 https://bugzilla.suse.com/1209096 SUSE Bug 1209096 https://bugzilla.suse.com/1209507 SUSE Bug 1209507 https://bugzilla.suse.com/1209825 SUSE Bug 1209825 https://bugzilla.suse.com/1211398 SUSE Bug 1211398 https://www.suse.com/security/cve/CVE-2023-27530/ SUSE CVE CVE-2023-27530 page https://www.suse.com/security/cve/CVE-2023-28120/ SUSE CVE CVE-2023-28120 page SUSE Linux Enterprise Module for Public Cloud 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP4 openSUSE Leap 15.4 rmt-server-2.13-150400.3.12.1 rmt-server-config-2.13-150400.3.12.1 rmt-server-pubcloud-2.13-150400.3.12.1 rmt-server-pubcloud-2.13-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP4 rmt-server-2.13-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 rmt-server-config-2.13-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 rmt-server-2.13-150400.3.12.1 as a component of openSUSE Leap 15.4 rmt-server-config-2.13-150400.3.12.1 as a component of openSUSE Leap 15.4 rmt-server-pubcloud-2.13-150400.3.12.1 as a component of openSUSE Leap 15.4 A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. CVE-2023-27530 SUSE Linux Enterprise Module for Public Cloud 15 SP4:rmt-server-pubcloud-2.13-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:rmt-server-2.13-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:rmt-server-config-2.13-150400.3.12.1 openSUSE Leap 15.4:rmt-server-2.13-150400.3.12.1 openSUSE Leap 15.4:rmt-server-config-2.13-150400.3.12.1 openSUSE Leap 15.4:rmt-server-pubcloud-2.13-150400.3.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232295-1/ https://www.suse.com/security/cve/CVE-2023-27530.html CVE-2023-27530 https://bugzilla.suse.com/1209095 SUSE Bug 1209095 There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. CVE-2023-28120 SUSE Linux Enterprise Module for Public Cloud 15 SP4:rmt-server-pubcloud-2.13-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:rmt-server-2.13-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:rmt-server-config-2.13-150400.3.12.1 openSUSE Leap 15.4:rmt-server-2.13-150400.3.12.1 openSUSE Leap 15.4:rmt-server-config-2.13-150400.3.12.1 openSUSE Leap 15.4:rmt-server-pubcloud-2.13-150400.3.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232295-1/ https://www.suse.com/security/cve/CVE-2023-28120.html CVE-2023-28120 https://bugzilla.suse.com/1209505 SUSE Bug 1209505