Security update for augeas SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:0650-1 Final 1 1 2018-03-09T13:05:35Z current 2018-03-09T13:05:35Z 2018-03-09T13:05:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for augeas This update for augeas fixes the following issues: Security issue fixed: - CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-CAASP-ALL-2018-439,SUSE-SLE-DESKTOP-12-SP3-2018-439,SUSE-SLE-SDK-12-SP3-2018-439,SUSE-SLE-SERVER-12-SP3-2018-439 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20180650-1/ Link for SUSE-SU-2018:0650-1 https://lists.suse.com/pipermail/sle-security-updates/2018-March/003799.html E-Mail link for SUSE-SU-2018:0650-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1054171 SUSE Bug 1054171 https://www.suse.com/security/cve/CVE-2017-7555/ SUSE CVE CVE-2017-7555 page SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Software Development Kit 12 SP3 augeas-1.2.0-17.3.1 augeas-lenses-1.2.0-17.3.1 libaugeas0-1.2.0-17.3.1 augeas-devel-1.2.0-17.3.1 augeas-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 augeas-lenses-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 libaugeas0-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Desktop 12 SP3 augeas-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 augeas-lenses-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 libaugeas0-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Server 12 SP3 augeas-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 augeas-lenses-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libaugeas0-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 augeas-devel-1.2.0-17.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution. CVE-2017-7555 SUSE Linux Enterprise Desktop 12 SP3:augeas-1.2.0-17.3.1 SUSE Linux Enterprise Desktop 12 SP3:augeas-lenses-1.2.0-17.3.1 SUSE Linux Enterprise Desktop 12 SP3:libaugeas0-1.2.0-17.3.1 SUSE Linux Enterprise Server 12 SP3:augeas-1.2.0-17.3.1 SUSE Linux Enterprise Server 12 SP3:augeas-lenses-1.2.0-17.3.1 SUSE Linux Enterprise Server 12 SP3:libaugeas0-1.2.0-17.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:augeas-1.2.0-17.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:augeas-lenses-1.2.0-17.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libaugeas0-1.2.0-17.3.1 SUSE Linux Enterprise Software Development Kit 12 SP3:augeas-devel-1.2.0-17.3.1 low 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180650-1/ https://www.suse.com/security/cve/CVE-2017-7555.html CVE-2017-7555 https://bugzilla.suse.com/1054171 SUSE Bug 1054171