Security update for pcp SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:0355-1 Final 1 1 2020-02-07T09:33:05Z current 2020-02-07T09:33:05Z 2020-02-07T09:33:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pcp This update for pcp fixes the following issues: Security issue fixed: - CVE-2019-3695: Fixed a local privilege escalation of the pcp user during package update (bsc#1152763). Non-security issue fixed: - Fixed an dependency issue with pcp2csv (bsc#1129991). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-355,SUSE-SLE-Module-Development-Tools-15-SP1-2020-355,SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-355 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20200355-1/ Link for SUSE-SU-2020:0355-1 https://lists.suse.com/pipermail/sle-security-updates/2020-February/006467.html E-Mail link for SUSE-SU-2020:0355-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1129991 SUSE Bug 1129991 https://bugzilla.suse.com/1152763 SUSE Bug 1152763 https://bugzilla.suse.com/1153921 SUSE Bug 1153921 https://www.suse.com/security/cve/CVE-2019-3695/ SUSE CVE CVE-2019-3695 page https://www.suse.com/security/cve/CVE-2019-3696/ SUSE CVE CVE-2019-3696 page SUSE Linux Enterprise Module for Development Tools 15 SP1 libpcp-devel-4.3.1-3.5.3 libpcp3-4.3.1-3.5.3 libpcp_gui2-4.3.1-3.5.3 libpcp_import1-4.3.1-3.5.3 libpcp_mmv1-4.3.1-3.5.3 libpcp_trace2-4.3.1-3.5.3 libpcp_web1-4.3.1-3.5.3 pcp-4.3.1-3.5.3 pcp-conf-4.3.1-3.5.3 pcp-devel-4.3.1-3.5.3 pcp-doc-4.3.1-3.5.3 pcp-export-pcp2elasticsearch-4.3.1-3.5.3 pcp-export-pcp2graphite-4.3.1-3.5.3 pcp-export-pcp2influxdb-4.3.1-3.5.3 pcp-export-pcp2json-4.3.1-3.5.3 pcp-export-pcp2spark-4.3.1-3.5.3 pcp-export-pcp2xml-4.3.1-3.5.3 pcp-export-pcp2zabbix-4.3.1-3.5.3 pcp-export-zabbix-agent-4.3.1-3.5.3 pcp-gui-4.3.1-3.5.3 pcp-import-collectl2pcp-4.3.1-3.5.3 pcp-import-ganglia2pcp-4.3.1-3.5.3 pcp-import-iostat2pcp-4.3.1-3.5.3 pcp-import-mrtg2pcp-4.3.1-3.5.3 pcp-import-sar2pcp-4.3.1-3.5.3 pcp-manager-4.3.1-3.5.3 pcp-pmda-activemq-4.3.1-3.5.3 pcp-pmda-apache-4.3.1-3.5.3 pcp-pmda-bash-4.3.1-3.5.3 pcp-pmda-bind2-4.3.1-3.5.3 pcp-pmda-bonding-4.3.1-3.5.3 pcp-pmda-cifs-4.3.1-3.5.3 pcp-pmda-cisco-4.3.1-3.5.3 pcp-pmda-dbping-4.3.1-3.5.3 pcp-pmda-dm-4.3.1-3.5.3 pcp-pmda-docker-4.3.1-3.5.3 pcp-pmda-ds389-4.3.1-3.5.3 pcp-pmda-ds389log-4.3.1-3.5.3 pcp-pmda-elasticsearch-4.3.1-3.5.3 pcp-pmda-gfs2-4.3.1-3.5.3 pcp-pmda-gluster-4.3.1-3.5.3 pcp-pmda-gpfs-4.3.1-3.5.3 pcp-pmda-gpsd-4.3.1-3.5.3 pcp-pmda-haproxy-4.3.1-3.5.3 pcp-pmda-infiniband-4.3.1-3.5.3 pcp-pmda-json-4.3.1-3.5.3 pcp-pmda-lmsensors-4.3.1-3.5.3 pcp-pmda-logger-4.3.1-3.5.3 pcp-pmda-lustre-4.3.1-3.5.3 pcp-pmda-lustrecomm-4.3.1-3.5.3 pcp-pmda-mailq-4.3.1-3.5.3 pcp-pmda-memcache-4.3.1-3.5.3 pcp-pmda-mic-4.3.1-3.5.3 pcp-pmda-mounts-4.3.1-3.5.3 pcp-pmda-mysql-4.3.1-3.5.3 pcp-pmda-named-4.3.1-3.5.3 pcp-pmda-netfilter-4.3.1-3.5.3 pcp-pmda-news-4.3.1-3.5.3 pcp-pmda-nfsclient-4.3.1-3.5.3 pcp-pmda-nginx-4.3.1-3.5.3 pcp-pmda-nutcracker-4.3.1-3.5.3 pcp-pmda-nvidia-gpu-4.3.1-3.5.3 pcp-pmda-oracle-4.3.1-3.5.3 pcp-pmda-papi-4.3.1-3.5.3 pcp-pmda-pdns-4.3.1-3.5.3 pcp-pmda-perfevent-4.3.1-3.5.3 pcp-pmda-postfix-4.3.1-3.5.3 pcp-pmda-prometheus-4.3.1-3.5.3 pcp-pmda-redis-4.3.1-3.5.3 pcp-pmda-roomtemp-4.3.1-3.5.3 pcp-pmda-rpm-4.3.1-3.5.3 pcp-pmda-rsyslog-4.3.1-3.5.3 pcp-pmda-samba-4.3.1-3.5.3 pcp-pmda-sendmail-4.3.1-3.5.3 pcp-pmda-shping-4.3.1-3.5.3 pcp-pmda-slurm-4.3.1-3.5.3 pcp-pmda-smart-4.3.1-3.5.3 pcp-pmda-snmp-4.3.1-3.5.3 pcp-pmda-summary-4.3.1-3.5.3 pcp-pmda-systemd-4.3.1-3.5.3 pcp-pmda-trace-4.3.1-3.5.3 pcp-pmda-unbound-4.3.1-3.5.3 pcp-pmda-vmware-4.3.1-3.5.3 pcp-pmda-weblog-4.3.1-3.5.3 pcp-pmda-zimbra-4.3.1-3.5.3 pcp-pmda-zswap-4.3.1-3.5.3 pcp-system-tools-4.3.1-3.5.3 pcp-testsuite-4.3.1-3.5.3 pcp-webapi-4.3.1-3.5.3 pcp-zeroconf-4.3.1-3.5.3 perl-PCP-LogImport-4.3.1-3.5.3 perl-PCP-LogSummary-4.3.1-3.5.3 perl-PCP-MMV-4.3.1-3.5.3 perl-PCP-PMDA-4.3.1-3.5.3 python3-pcp-4.3.1-3.5.3 libpcp-devel-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 libpcp3-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 libpcp_gui2-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 libpcp_import1-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 libpcp_mmv1-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 libpcp_trace2-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 libpcp_web1-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 pcp-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 pcp-conf-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 pcp-devel-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 pcp-doc-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 pcp-import-iostat2pcp-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 pcp-import-mrtg2pcp-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 pcp-import-sar2pcp-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 pcp-pmda-perfevent-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 pcp-system-tools-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 perl-PCP-LogImport-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 perl-PCP-LogSummary-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 perl-PCP-MMV-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 perl-PCP-PMDA-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 python3-pcp-4.3.1-3.5.3 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP1 A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows the user pcp to run code as root by placing it into /var/log/pcp/configs.sh This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1. CVE-2019-3695 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp-devel-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp3-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_gui2-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_import1-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_mmv1-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_trace2-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_web1-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-conf-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-devel-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-doc-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-import-iostat2pcp-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-import-mrtg2pcp-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-import-sar2pcp-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-pmda-perfevent-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-system-tools-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:perl-PCP-LogImport-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:perl-PCP-LogSummary-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:perl-PCP-MMV-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:perl-PCP-PMDA-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:python3-pcp-4.3.1-3.5.3 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20200355-1/ https://www.suse.com/security/cve/CVE-2019-3695.html CVE-2019-3695 https://bugzilla.suse.com/1152533 SUSE Bug 1152533 https://bugzilla.suse.com/1152763 SUSE Bug 1152763 https://bugzilla.suse.com/1154062 SUSE Bug 1154062 A Improper Limitation of a Pathname to a Restricted Directory vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows local user pcp to overwrite arbitrary files with arbitrary content. This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1. CVE-2019-3696 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp-devel-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp3-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_gui2-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_import1-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_mmv1-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_trace2-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:libpcp_web1-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-conf-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-devel-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-doc-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-import-iostat2pcp-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-import-mrtg2pcp-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-import-sar2pcp-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-pmda-perfevent-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:pcp-system-tools-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:perl-PCP-LogImport-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:perl-PCP-LogSummary-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:perl-PCP-MMV-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:perl-PCP-PMDA-4.3.1-3.5.3 SUSE Linux Enterprise Module for Development Tools 15 SP1:python3-pcp-4.3.1-3.5.3 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20200355-1/ https://www.suse.com/security/cve/CVE-2019-3696.html CVE-2019-3696 https://bugzilla.suse.com/1152533 SUSE Bug 1152533 https://bugzilla.suse.com/1153921 SUSE Bug 1153921 https://bugzilla.suse.com/1154062 SUSE Bug 1154062