Security update for inn SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0845-1 Final 1 1 2021-06-06T22:06:06Z current 2021-06-06T22:06:06Z 2021-06-06T22:06:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for inn This update for inn fixes the following issues: - CVE-2021-31998: change user to news before calling innupgrade, which could have allow local privilege escalation. [boo#1182321] This update was imported from the openSUSE:Leap:15.2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-845 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L66SY5KJMRBUJVLIGSLIQAWIALH62ZA2/ E-Mail link for openSUSE-SU-2021:0845-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1182321 SUSE Bug 1182321 https://www.suse.com/security/cve/CVE-2021-31998/ SUSE CVE CVE-2021-31998 page SUSE Package Hub 15 SP2 inn-2.6.2-bp152.2.8.1 inn-devel-2.6.2-bp152.2.8.1 mininews-2.6.2-bp152.2.8.1 inn-2.6.2-bp152.2.8.1 as a component of SUSE Package Hub 15 SP2 inn-devel-2.6.2-bp152.2.8.1 as a component of SUSE Package Hub 15 SP2 mininews-2.6.2-bp152.2.8.1 as a component of SUSE Package Hub 15 SP2 A Incorrect Default Permissions vulnerability in the packaging of inn of SUSE Linux Enterprise Server 11-SP3; openSUSE Backports SLE-15-SP2, openSUSE Leap 15.2 allows local attackers to escalate their privileges from the news user to root. This issue affects: SUSE Linux Enterprise Server 11-SP3 inn version inn-2.4.2-170.21.3.1 and prior versions. openSUSE Backports SLE-15-SP2 inn versions prior to 2.6.2. openSUSE Leap 15.2 inn versions prior to 2.6.2. CVE-2021-31998 SUSE Package Hub 15 SP2:inn-2.6.2-bp152.2.8.1 SUSE Package Hub 15 SP2:inn-devel-2.6.2-bp152.2.8.1 SUSE Package Hub 15 SP2:mininews-2.6.2-bp152.2.8.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L66SY5KJMRBUJVLIGSLIQAWIALH62ZA2/ https://www.suse.com/security/cve/CVE-2021-31998.html CVE-2021-31998 https://bugzilla.suse.com/1182321 SUSE Bug 1182321 https://bugzilla.suse.com/1189836 SUSE Bug 1189836