Security update for cobbler SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:1736-1 Final 1 1 2018-06-19T13:50:31Z current 2018-06-19T13:50:31Z 2018-06-19T13:50:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cobbler This update for cobbler fixes the following issues: The following security issue has been fixed: - CVE-2017-1000469: Escape shell parameters provided by the user for the reposync action. (bsc#1074594) Additionally, the following non-security issues have been fixed: - Fix signature for SLES15. (bsc#1075014) - Detect if there is already another instance of 'cobbler sync' running and exit with failure if so. (bsc#1081714) - Add SLES 15 distro profile. (bsc#1090205) - Require tftp(server) instead of atftp. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). HPE-Helion-OpenStack-8-2018-1177,SUSE-OpenStack-Cloud-8-2018-1177,SUSE-SLE-Manager-Tools-12-2018-1177,SUSE-SUSE-Manager-Server-3.0-2018-1177 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20181736-1/ Link for SUSE-SU-2018:1736-1 https://lists.suse.com/pipermail/sle-security-updates/2018-June/004196.html E-Mail link for SUSE-SU-2018:1736-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1074594 SUSE Bug 1074594 https://bugzilla.suse.com/1075014 SUSE Bug 1075014 https://bugzilla.suse.com/1081714 SUSE Bug 1081714 https://bugzilla.suse.com/1090205 SUSE Bug 1090205 https://www.suse.com/security/cve/CVE-2017-1000469/ SUSE CVE CVE-2017-1000469 page HPE Helion OpenStack 8 SUSE Manager Client Tools 12 SUSE Manager Server 3.0 SUSE OpenStack Cloud 8 cobbler-2.6.6-49.9.1 koan-2.6.6-49.9.1 cobbler-2.6.6-49.9.1 as a component of HPE Helion OpenStack 8 koan-2.6.6-49.9.1 as a component of SUSE Manager Client Tools 12 cobbler-2.6.6-49.9.1 as a component of SUSE Manager Server 3.0 cobbler-2.6.6-49.9.1 as a component of SUSE OpenStack Cloud 8 Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user. CVE-2017-1000469 HPE Helion OpenStack 8:cobbler-2.6.6-49.9.1 SUSE Manager Client Tools 12:koan-2.6.6-49.9.1 SUSE Manager Server 3.0:cobbler-2.6.6-49.9.1 SUSE OpenStack Cloud 8:cobbler-2.6.6-49.9.1 moderate 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181736-1/ https://www.suse.com/security/cve/CVE-2017-1000469.html CVE-2017-1000469 https://bugzilla.suse.com/1074594 SUSE Bug 1074594