Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-3760 (GCVE-0-2018-3760)
Vulnerability from cvelistv5 – Published: 2018-06-26 19:00 – Updated: 2024-09-16 18:39
VLAI
EPSS
Summary
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
Severity
7.5 (High)
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/rails/sprockets/commit/c09131c… | x_refsource_MISC |
| https://access.redhat.com/errata/RHSA-2018:2745 | vendor-advisoryx_refsource_REDHAT |
| https://groups.google.com/d/msg/rubyonrails-secur… | x_refsource_MISC |
| https://access.redhat.com/errata/RHSA-2018:2244 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:2561 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:2245 | vendor-advisoryx_refsource_REDHAT |
| https://www.debian.org/security/2018/dsa-4242 | vendor-advisoryx_refsource_DEBIAN |
Impacted products
Date Public
2018-06-19 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"name": "RHSA-2018:2745",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"name": "RHSA-2018:2244",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"name": "RHSA-2018:2561",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"name": "RHSA-2018:2245",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"name": "DSA-4242",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4242"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sprockets",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "4.0.0.beta8, 3.7.2, 2.12.5"
}
]
}
],
"datePublic": "2018-06-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-27T09:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"name": "RHSA-2018:2745",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"name": "RHSA-2018:2244",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"name": "RHSA-2018:2561",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"name": "RHSA-2018:2245",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"name": "DSA-4242",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4242"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-06-19T00:00:00",
"ID": "CVE-2018-3760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sprockets",
"version": {
"version_data": [
{
"version_value": "4.0.0.beta8, 3.7.2, 2.12.5"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5",
"refsource": "MISC",
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"name": "RHSA-2018:2745",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"name": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ",
"refsource": "MISC",
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"name": "RHSA-2018:2244",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"name": "RHSA-2018:2561",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"name": "RHSA-2018:2245",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"name": "DSA-4242",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4242"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3760",
"datePublished": "2018-06-26T19:00:00.000Z",
"dateReserved": "2017-12-28T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:39:20.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2018-3760",
"date": "2026-06-04",
"epss": "0.93887",
"percentile": "0.99883"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-3760\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2018-06-26T19:29:00.343\",\"lastModified\":\"2024-11-21T04:06:01.503\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de fuga de informaci\u00f3n en Sprockets. Versiones afectadas: 4.0.0.beta7 y anteriores, 3.7.1 y anteriores y 2.12.4 y anteriores. Las peticiones especialmente manipuladas se pueden utilizar para acceder a archivos que existen en el sistema de archivos que est\u00e1 fuera del directorio root de la aplicaci\u00f3n, cuando el servidor de Sprockets se utiliza en producci\u00f3n. Todos los usuarios que ejecuten una distribuci\u00f3n afectada deben actualizarla o utilizar una de las alternativas inmediatamente.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32E1BA91-4695-4E64-A9D7-4A6CB6904D41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67F7263F-113D-4BAE-B8CB-86A61531A2AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"84FF61DF-D634-4FB5-8DF1-01F631BE1A7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B99A2411-7F6A-457F-A7BF-EB13C630F902\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"041F9200-4C01-4187-AE34-240E8277B54D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EB48767-F095-444F-9E05-D9AC345AB803\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F6FA12B-504C-4DBF-A32E-0548557AA2ED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndIncluding\":\"2.12.4\",\"matchCriteriaId\":\"679411A0-8348-42CE-9077-11E82FADA9FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndIncluding\":\"3.7.1\",\"matchCriteriaId\":\"6ADAEC05-67A2-4861-A986-4C0A4428EAA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E476722A-DCFD-427D-8F67-3C2A996817EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7D018749-4416-4ADA-B701-892F3581F31A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3248E9DE-D943-48E3-B611-A65E351C79ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A82607FD-015B-4740-9950-EE783A79C4F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"EBCEA292-1CD8-45D6-A495-2085F40B9423\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"79C7FBAE-F4C2-458A-AD65-CC85A956F93F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"D873B105-7A65-4EB1-87A2-72C7CF365BF5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2244\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2245\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2561\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2745\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5\",\"source\":\"support@hackerone.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4242\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2244\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2245\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2561\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2745\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4242\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
SUSE-SU-2018:1994-1
Vulnerability from csaf_suse - Published: 2018-07-19 07:35 - Updated: 2018-07-19 07:35Summary
Security update for rubygem-sprockets
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-sprockets
Description of the patch: This update for rubygem-sprockets fixes the following issues:
The following security vulnerability was addressed:
- CVE-2018-3760: Fixed a path traversal issue in sprockets/server.rb:forbidden_request?(), which allowed remote attackers to read arbitrary files (bsc#1098369)
Patchnames: SUSE-SLE-Product-HA-15-2018-1349
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-sprockets",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-sprockets fixes the following issues:\n\nThe following security vulnerability was addressed:\n\n- CVE-2018-3760: Fixed a path traversal issue in sprockets/server.rb:forbidden_request?(), which allowed remote attackers to read arbitrary files (bsc#1098369)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Product-HA-15-2018-1349",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1994-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:1994-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20181994-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:1994-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-July/004288.html"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for rubygem-sprockets",
"tracking": {
"current_release_date": "2018-07-19T07:35:45Z",
"generator": {
"date": "2018-07-19T07:35:45Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:1994-1",
"initial_release_date": "2018-07-19T07:35:45Z",
"revision_history": [
{
"date": "2018-07-19T07:35:45Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"product_id": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"product_id": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"product": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"product_id": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64",
"product_id": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-07-19T07:35:45Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
SUSE-SU-2018:2176-1
Vulnerability from csaf_suse - Published: 2018-08-02 15:20 - Updated: 2018-08-02 15:20Summary
Security update for rubygem-sprockets-2_12
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-sprockets-2_12
Description of the patch: This update for rubygem-sprockets-2_12 fixes the following issues:
Security issue fixed:
- CVE-2018-3760: Fix path traversal in sprockets/server.rb:forbidden_request?() that can allow remote attackers to read
arbitrary files (bsc#1098369).
Patchnames: SUSE-OpenStack-Cloud-Crowbar-8-2018-1326
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-sprockets-2_12",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-sprockets-2_12 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2018-3760: Fix path traversal in sprockets/server.rb:forbidden_request?() that can allow remote attackers to read\n arbitrary files (bsc#1098369).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-Crowbar-8-2018-1326",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2176-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2176-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182176-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2176-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182176-1.html"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for rubygem-sprockets-2_12",
"tracking": {
"current_release_date": "2018-08-02T15:20:25Z",
"generator": {
"date": "2018-08-02T15:20:25Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2176-1",
"initial_release_date": "2018-08-02T15:20:25Z",
"revision_history": [
{
"date": "2018-08-02T15:20:25Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64",
"product": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64",
"product_id": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 8",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
},
"product_reference": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-08-02T15:20:25Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
SUSE-SU-2018:2217-1
Vulnerability from csaf_suse - Published: 2018-08-06 13:16 - Updated: 2018-08-06 13:16Summary
Security update for rubygem-sprockets-2_12
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-sprockets-2_12
Description of the patch: This update for rubygem-sprockets-2_12 fixes the following issues:
Security issue fixed:
- CVE-2018-3760: Fix path traversal in sprockets/server.rb:forbidden_request?() that can allow remote attackers to
read arbitrary files (bsc#1098369).
Patchnames: SUSE-OpenStack-Cloud-7-2018-1500
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-sprockets-2_12",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-sprockets-2_12 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2018-3760: Fix path traversal in sprockets/server.rb:forbidden_request?() that can allow remote attackers to\n read arbitrary files (bsc#1098369).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-7-2018-1500",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2217-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2217-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182217-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2217-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-August/004376.html"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for rubygem-sprockets-2_12",
"tracking": {
"current_release_date": "2018-08-06T13:16:56Z",
"generator": {
"date": "2018-08-06T13:16:56Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2217-1",
"initial_release_date": "2018-08-06T13:16:56Z",
"revision_history": [
{
"date": "2018-08-06T13:16:56Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"product": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"product_id": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"product": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"product_id": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64",
"product": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64",
"product_id": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64"
},
"product_reference": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x"
},
"product_reference": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
},
"product_reference": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-08-06T13:16:56Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
SUSE-SU-2018:2603-1
Vulnerability from csaf_suse - Published: 2018-09-04 08:48 - Updated: 2018-09-04 08:48Summary
Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui
Severity
Moderate
Notes
Title of the patch: Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui
Description of the patch: This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues:
This security issues was fixed:
- CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak.
Specially crafted requests could have been be used to access files that exists
on the filesystem that is outside an application's root directory, when the
Sprockets server is used in production (bsc#1098369).
- CVE-2016-861: Add rate limiting for glance api (bsc#1005886)
These non-security issues were fixed for crowbar:
- upgrade: Lock crowbar-ui before admin upgrade
- upgrade: Make sure schemas are properly migrated after the upgrade
These non-security issues were fixed for crowbar-core:
- upgrade: Add the upgrade menu entry
- upgrade: Fix upgrade link
- apache: copytruncate apache logs bsc#1083093
- Fix exception handling in get_log_lines
- upgrade: Raise the default timeouts for most time consuming actions
- upgrade: Do not allow manila-share on compute nodes
- control_lib: fix host allocation check
- upgrade: Check input is a valid node for nodes
- upgrade: Provide better information after the failure
- upgrade: Report missing scripts
- upgrade: Improve error messages with lists
- upgrade: Do not allow cinder-volume on compute nodes
- upgrade: Fix file layout for rails' autoloading (bsc#1096759)
- upgrade: Added API calls for postponing/resuming compute nodes upgrade
- upgrade: Unlock crowbar-ui after completed upgrade
- upgrade: Do not check if ceph roles are present on compute nodes
- upgrade: Fix labels for SOC8 repositories
- upgrade: Finish only controllers step
These non-security issues were fixed for crowbar-ha:
- haproxy: increased SSL stick table to 100k
- DRBD: Fix DRBD resources setup on reinstall node
- pacemaker: allow multiple meta parameters (bsc#1093898)
These non-security issues were fixed for crowbar-openstack:
- nova: reload nova-placement-api (bsc#1103383)
- Synchronize SSL in the cluster (bsc#1081518)
- neutron: add force_metadata attribute
- copytruncate apache logs instead of creating
- rabbitmq: set client timout to default value
- Revert 'database: Split database-server role into backend specific roles'
- Revert 'database: Allow parallel deployments of postgresql and mysql'
- Revert 'database: Allow parallel HA deployment of PostgreSQL and MariaDB'
- Revert 'database: Fix 'Attributes' UI after role renaming'
- Revert 'monasca: Fix check for mysql after it got moved to a separate role'
- Revert 'Restore caching of db_settings'
- Revert 'database: Migration fixes for separate DB roles'
- database: Migration fixes for separate DB roles
- Restore caching of db_settings
- monasca: Fix check for mysql after it got moved to a separate role
- database: Fix 'Attributes' UI after role renaming
- database: Allow parallel HA deployment of PostgreSQL and MariaDB
- database: Allow parallel deployments of postgresql and mysql
- database: Split database-server role into backend specific roles
- Do not automatically put manila-share roles to compute nodes
- rabbitmq: check for rabbit readiness
- rabbitmq: Make sure rabbit is running on cluster
- monasca: various monasca-installer improvements
- manila: Correct field name for cluster name
- mariadb: Add prefix to configs
- mariadb: Remove redundant config values
- aodh: Add config for alarm_history_ttl (bsc#1073703)
These non-security issues were fixed for crowbar-ui:
- upgrade: Dummy backend for status testing
- upgrade: Refactor postpone nodes upgrade
- upgrade: Allow interruption of status wait loop
- upgrade: Added ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- Add ability to postpone upgrade
- upgrade: Remove openstack precheck
- upgrade: Fixed error key for ha_configured
- upgrade: Remove CEPH related code
- Remove the non-essential database-configuration controller
- remove ui typo test
- Remove database configuration option
- upgrade: Update SUSE-OpenStack-Cloud-8 label
- upgrade: Update admin and nodes repo names
- enable and document docker development environment
Patchnames: SUSE-OpenStack-Cloud-7-2018-1828,SUSE-Storage-4-2018-1828
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
19 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues:\n\nThis security issues was fixed:\n\n- CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak.\n Specially crafted requests could have been be used to access files that exists\n on the filesystem that is outside an application\u0027s root directory, when the\n Sprockets server is used in production (bsc#1098369).\n- CVE-2016-861: Add rate limiting for glance api (bsc#1005886)\n\nThese non-security issues were fixed for crowbar:\n\n- upgrade: Lock crowbar-ui before admin upgrade\n- upgrade: Make sure schemas are properly migrated after the upgrade\n\nThese non-security issues were fixed for crowbar-core:\n\n- upgrade: Add the upgrade menu entry\n- upgrade: Fix upgrade link\n- apache: copytruncate apache logs bsc#1083093\n- Fix exception handling in get_log_lines\n- upgrade: Raise the default timeouts for most time consuming actions\n- upgrade: Do not allow manila-share on compute nodes\n- control_lib: fix host allocation check\n- upgrade: Check input is a valid node for nodes\n- upgrade: Provide better information after the failure\n- upgrade: Report missing scripts\n- upgrade: Improve error messages with lists\n- upgrade: Do not allow cinder-volume on compute nodes\n- upgrade: Fix file layout for rails\u0027 autoloading (bsc#1096759)\n- upgrade: Added API calls for postponing/resuming compute nodes upgrade\n- upgrade: Unlock crowbar-ui after completed upgrade\n- upgrade: Do not check if ceph roles are present on compute nodes\n- upgrade: Fix labels for SOC8 repositories\n- upgrade: Finish only controllers step\n\nThese non-security issues were fixed for crowbar-ha:\n\n- haproxy: increased SSL stick table to 100k\n- DRBD: Fix DRBD resources setup on reinstall node\n- pacemaker: allow multiple meta parameters (bsc#1093898)\n\nThese non-security issues were fixed for crowbar-openstack:\n\n- nova: reload nova-placement-api (bsc#1103383)\n- Synchronize SSL in the cluster (bsc#1081518)\n- neutron: add force_metadata attribute\n- copytruncate apache logs instead of creating\n- rabbitmq: set client timout to default value\n- Revert \u0027database: Split database-server role into backend specific roles\u0027\n- Revert \u0027database: Allow parallel deployments of postgresql and mysql\u0027\n- Revert \u0027database: Allow parallel HA deployment of PostgreSQL and MariaDB\u0027\n- Revert \u0027database: Fix \u0027Attributes\u0027 UI after role renaming\u0027\n- Revert \u0027monasca: Fix check for mysql after it got moved to a separate role\u0027\n- Revert \u0027Restore caching of db_settings\u0027\n- Revert \u0027database: Migration fixes for separate DB roles\u0027\n- database: Migration fixes for separate DB roles\n- Restore caching of db_settings\n- monasca: Fix check for mysql after it got moved to a separate role\n- database: Fix \u0027Attributes\u0027 UI after role renaming\n- database: Allow parallel HA deployment of PostgreSQL and MariaDB\n- database: Allow parallel deployments of postgresql and mysql\n- database: Split database-server role into backend specific roles\n- Do not automatically put manila-share roles to compute nodes\n- rabbitmq: check for rabbit readiness\n- rabbitmq: Make sure rabbit is running on cluster\n- monasca: various monasca-installer improvements\n- manila: Correct field name for cluster name\n- mariadb: Add prefix to configs\n- mariadb: Remove redundant config values\n- aodh: Add config for alarm_history_ttl (bsc#1073703)\n\nThese non-security issues were fixed for crowbar-ui:\n\n- upgrade: Dummy backend for status testing\n- upgrade: Refactor postpone nodes upgrade\n- upgrade: Allow interruption of status wait loop\n- upgrade: Added ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- Add ability to postpone upgrade\n- upgrade: Remove openstack precheck\n- upgrade: Fixed error key for ha_configured\n- upgrade: Remove CEPH related code\n- Remove the non-essential database-configuration controller\n- remove ui typo test\n- Remove database configuration option\n- upgrade: Update SUSE-OpenStack-Cloud-8 label\n- upgrade: Update admin and nodes repo names\n- enable and document docker development environment\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-7-2018-1828,SUSE-Storage-4-2018-1828",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2603-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2603-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182603-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2603-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-September/004530.html"
},
{
"category": "self",
"summary": "SUSE Bug 1005886",
"url": "https://bugzilla.suse.com/1005886"
},
{
"category": "self",
"summary": "SUSE Bug 1073703",
"url": "https://bugzilla.suse.com/1073703"
},
{
"category": "self",
"summary": "SUSE Bug 1081518",
"url": "https://bugzilla.suse.com/1081518"
},
{
"category": "self",
"summary": "SUSE Bug 1083093",
"url": "https://bugzilla.suse.com/1083093"
},
{
"category": "self",
"summary": "SUSE Bug 1093898",
"url": "https://bugzilla.suse.com/1093898"
},
{
"category": "self",
"summary": "SUSE Bug 1096759",
"url": "https://bugzilla.suse.com/1096759"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE Bug 1103383",
"url": "https://bugzilla.suse.com/1103383"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-8611 page",
"url": "https://www.suse.com/security/cve/CVE-2016-8611/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui",
"tracking": {
"current_release_date": "2018-09-04T08:48:31Z",
"generator": {
"date": "2018-09-04T08:48:31Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2603-1",
"initial_release_date": "2018-09-04T08:48:31Z",
"revision_history": [
{
"date": "2018-09-04T08:48:31Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"product": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"product_id": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
}
},
{
"category": "product_version",
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"product": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"product_id": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"product": {
"name": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"product_id": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"product": {
"name": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"product_id": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"product": {
"name": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"product_id": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"product": {
"name": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"product_id": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch",
"product": {
"name": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch",
"product_id": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"product": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"product_id": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x"
}
},
{
"category": "product_version",
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"product": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"product_id": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"product": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"product_id": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
}
},
{
"category": "product_version",
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"product": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"product_id": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 4",
"product": {
"name": "SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch"
},
"product_reference": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
},
"product_reference": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x"
},
"product_reference": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
},
"product_reference": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch"
},
"product_reference": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch"
},
"product_reference": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch"
},
"product_reference": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
},
"product_reference": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch"
},
"product_reference": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-8611",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-8611"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-8611",
"url": "https://www.suse.com/security/cve/CVE-2016-8611"
},
{
"category": "external",
"summary": "SUSE Bug 1005886 for CVE-2016-8611",
"url": "https://bugzilla.suse.com/1005886"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-09-04T08:48:31Z",
"details": "low"
}
],
"title": "CVE-2016-8611"
},
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-09-04T08:48:31Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
SUSE-SU-2018:2762-1
Vulnerability from csaf_suse - Published: 2018-09-20 06:04 - Updated: 2018-09-20 06:04Summary
Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui
Severity
Moderate
Notes
Title of the patch: Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui
Description of the patch: This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues:
This security issues was fixed:
- CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak.
Specially crafted requests could have been be used to access files that exists
on the filesystem that is outside an application's root directory, when the
Sprockets server is used in production (bsc#1098369).
- CVE-2016-861: Add rate limiting for glance api (bsc#1005886)
These non-security issues were fixed for crowbar:
- upgrade: Lock crowbar-ui before admin upgrade
- upgrade: Make sure schemas are properly migrated after the upgrade
- upgrade: No need for database dump before the upgrade
- upgrade: No need to use crowbar-init during the upgrade
These non-security issues were fixed for crowbar-core:
- upgrade: Remove pre-upgrade constraints from existing locations
- upgrade: Show the grep result when checking for not-migrated instances
- upgrade: Set clone_stateless_services to false on upgrade
- control_lib: fix host allocation check
- Fix exception handling in get_log_lines
- apache: copytruncate apache logs bsc#1083093
- upgrade: Refresh repos before crowbar-ui update (bsc#1099392)
- upgrade: Reset RabbitMQ nodes during upgrade
- upgrade: Do not allow cinder-volume on compute nodes
- upgrade: Wait until all nova-compute services are up before evacuation
- upgrade: Save the information which set of nodes should be upgraded
- Let skip_unready_nodes skip also nodes that are in crowbar_upgrade state
- upgrade: Add missing brackets checking for nodes
- upgrade: Make sure postponed nodes can be skipped when applying proposal
- upgrade: When the upgrade is not finished, show a link to wizard
- upgrade: Correctly delete remaining upgrade scripts
- upgrade: Wait for services shutdown to finish
- upgrade: Unlock crowbar-ui after completed upgrade
- upgrade: Stop cron before stopping any other service
- upgrade: Provide better information after the failure
- upgrade: Report missing scripts
- upgrade: Better check for upgraded nodes - do not rely on state
- upgrade: Improve error messages with lists
- upgrade: Check input is a valid node for nodes
- upgrade: Delete upgrade scripts really at the end of upgrade
- upgrade: Increase the timeout for deleting pacemaker resources
- upgrade: Adapt the check for upgraded? value
- upgrade: Move step to mark the admin upgrade end
- upgrade: Do not finalize nodes that are not upgraded
- upgrade: Fix file layout for rails' autoloading (bsc#1096759)
- upgrade: Deleting cinder services from database no longer needed
- upgrade: Allow postpone and resume of compute nodes upgrade
- upgrade: Allow the access to controller actions when upgrade is postponed
- upgrade: Finalize upgrade of controller nodes after they are done
- upgrade: Added API calls for postponing/resuming compute nodes upgrade
- upgrade: Unblock upgrade status API in Cloud8
- upgrade: Do not end admin step while it is still running (bsc#1095420)
- upgrade: Adapt ceph-related checks to 7-8 upgrade
- upgrade: Allow running schema migrations on upgrade
- upgrade: Fix platform retrieval
These non-security issues were fixed for crowbar-ha:
- pacemaker: allow multiple meta parameters (bsc#1093898)
- haproxy: active-active mode, just one VIP
These non-security issues were fixed for crowbar-openstack:
- Synchronize SSL in the cluster (bsc#1081518)
- neutron: add force_metadata attribute
- rabbitmq: set client timout to default value
- /etc/sysctl.d/99-sysctl.conf is a symlink to /etc/sysctl.conf
- Do not automatically put manila-share roles to compute nodes
- rabbitmq: check for rabbit readiness
- rabbitmq: Make sure rabbit is running on cluster
- monasca: various monasca-installer improvements
- monasca: reduce monasca-installer runs (bsc#1096043)
- manila: Correct field name for cluster name
- Do not mark [:nova][:db_synced] too early
- nova: Do not do partial online migrations, that was Newton specific
- monasca: add elasticsearch tunables (bsc#1090336)
- copytruncate apache logs instead of creating
- rabbitmq: Better dependency check
- aodh: Add config for alarm_history_ttl (bsc#1073703)
- upgrade: cinder: run live migrations at correct rev
These non-security issues were fixed for crowbar-ui:
- upgrade: Dummy backend for status testing
- upgrade: Refactor postpone nodes upgrade
- upgrade: Allow interruption of status wait loop
- upgrade: Added ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- Add ability to postpone upgrade
- upgrade: Remove openstack precheck
- upgrade: Fixed error key for ha_configured
- upgrade: Remove CEPH related code
- Remove the non-essential database-configuration controller
- remove ui typo test
- Remove database configuration option
- upgrade: Update SUSE-OpenStack-Cloud-8 label
- upgrade: Update admin and nodes repo names
Patchnames: SUSE-OpenStack-Cloud-Crowbar-8-2018-1928
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues:\n\nThis security issues was fixed:\n\n- CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak.\n Specially crafted requests could have been be used to access files that exists\n on the filesystem that is outside an application\u0027s root directory, when the\n Sprockets server is used in production (bsc#1098369).\n- CVE-2016-861: Add rate limiting for glance api (bsc#1005886)\n\nThese non-security issues were fixed for crowbar:\n\n- upgrade: Lock crowbar-ui before admin upgrade\n- upgrade: Make sure schemas are properly migrated after the upgrade\n- upgrade: No need for database dump before the upgrade\n- upgrade: No need to use crowbar-init during the upgrade\n\nThese non-security issues were fixed for crowbar-core:\n\n- upgrade: Remove pre-upgrade constraints from existing locations\n- upgrade: Show the grep result when checking for not-migrated instances\n- upgrade: Set clone_stateless_services to false on upgrade\n- control_lib: fix host allocation check\n- Fix exception handling in get_log_lines\n- apache: copytruncate apache logs bsc#1083093\n- upgrade: Refresh repos before crowbar-ui update (bsc#1099392)\n- upgrade: Reset RabbitMQ nodes during upgrade\n- upgrade: Do not allow cinder-volume on compute nodes\n- upgrade: Wait until all nova-compute services are up before evacuation\n- upgrade: Save the information which set of nodes should be upgraded\n- Let skip_unready_nodes skip also nodes that are in crowbar_upgrade state\n- upgrade: Add missing brackets checking for nodes\n- upgrade: Make sure postponed nodes can be skipped when applying proposal\n- upgrade: When the upgrade is not finished, show a link to wizard\n- upgrade: Correctly delete remaining upgrade scripts\n- upgrade: Wait for services shutdown to finish\n- upgrade: Unlock crowbar-ui after completed upgrade\n- upgrade: Stop cron before stopping any other service\n- upgrade: Provide better information after the failure\n- upgrade: Report missing scripts\n- upgrade: Better check for upgraded nodes - do not rely on state\n- upgrade: Improve error messages with lists\n- upgrade: Check input is a valid node for nodes\n- upgrade: Delete upgrade scripts really at the end of upgrade\n- upgrade: Increase the timeout for deleting pacemaker resources\n- upgrade: Adapt the check for upgraded? value\n- upgrade: Move step to mark the admin upgrade end\n- upgrade: Do not finalize nodes that are not upgraded\n- upgrade: Fix file layout for rails\u0027 autoloading (bsc#1096759)\n- upgrade: Deleting cinder services from database no longer needed\n- upgrade: Allow postpone and resume of compute nodes upgrade\n- upgrade: Allow the access to controller actions when upgrade is postponed\n- upgrade: Finalize upgrade of controller nodes after they are done\n- upgrade: Added API calls for postponing/resuming compute nodes upgrade\n- upgrade: Unblock upgrade status API in Cloud8\n- upgrade: Do not end admin step while it is still running (bsc#1095420)\n- upgrade: Adapt ceph-related checks to 7-8 upgrade\n- upgrade: Allow running schema migrations on upgrade\n- upgrade: Fix platform retrieval\n\nThese non-security issues were fixed for crowbar-ha:\n\n- pacemaker: allow multiple meta parameters (bsc#1093898)\n- haproxy: active-active mode, just one VIP\n\nThese non-security issues were fixed for crowbar-openstack:\n\n- Synchronize SSL in the cluster (bsc#1081518)\n- neutron: add force_metadata attribute\n- rabbitmq: set client timout to default value\n- /etc/sysctl.d/99-sysctl.conf is a symlink to /etc/sysctl.conf\n- Do not automatically put manila-share roles to compute nodes\n- rabbitmq: check for rabbit readiness\n- rabbitmq: Make sure rabbit is running on cluster\n- monasca: various monasca-installer improvements\n- monasca: reduce monasca-installer runs (bsc#1096043)\n- manila: Correct field name for cluster name\n- Do not mark [:nova][:db_synced] too early\n- nova: Do not do partial online migrations, that was Newton specific\n- monasca: add elasticsearch tunables (bsc#1090336)\n- copytruncate apache logs instead of creating\n- rabbitmq: Better dependency check\n- aodh: Add config for alarm_history_ttl (bsc#1073703)\n- upgrade: cinder: run live migrations at correct rev\n\nThese non-security issues were fixed for crowbar-ui:\n\n- upgrade: Dummy backend for status testing\n- upgrade: Refactor postpone nodes upgrade\n- upgrade: Allow interruption of status wait loop\n- upgrade: Added ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- Add ability to postpone upgrade\n- upgrade: Remove openstack precheck\n- upgrade: Fixed error key for ha_configured\n- upgrade: Remove CEPH related code\n- Remove the non-essential database-configuration controller\n- remove ui typo test\n- Remove database configuration option\n- upgrade: Update SUSE-OpenStack-Cloud-8 label\n- upgrade: Update admin and nodes repo names\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-Crowbar-8-2018-1928",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2762-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2762-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182762-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2762-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-September/004567.html"
},
{
"category": "self",
"summary": "SUSE Bug 1005886",
"url": "https://bugzilla.suse.com/1005886"
},
{
"category": "self",
"summary": "SUSE Bug 1073703",
"url": "https://bugzilla.suse.com/1073703"
},
{
"category": "self",
"summary": "SUSE Bug 1081518",
"url": "https://bugzilla.suse.com/1081518"
},
{
"category": "self",
"summary": "SUSE Bug 1083093",
"url": "https://bugzilla.suse.com/1083093"
},
{
"category": "self",
"summary": "SUSE Bug 1090336",
"url": "https://bugzilla.suse.com/1090336"
},
{
"category": "self",
"summary": "SUSE Bug 1093898",
"url": "https://bugzilla.suse.com/1093898"
},
{
"category": "self",
"summary": "SUSE Bug 1095420",
"url": "https://bugzilla.suse.com/1095420"
},
{
"category": "self",
"summary": "SUSE Bug 1096043",
"url": "https://bugzilla.suse.com/1096043"
},
{
"category": "self",
"summary": "SUSE Bug 1096759",
"url": "https://bugzilla.suse.com/1096759"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE Bug 1099392",
"url": "https://bugzilla.suse.com/1099392"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-8611 page",
"url": "https://www.suse.com/security/cve/CVE-2016-8611/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui",
"tracking": {
"current_release_date": "2018-09-20T06:04:40Z",
"generator": {
"date": "2018-09-20T06:04:40Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2762-1",
"initial_release_date": "2018-09-20T06:04:40Z",
"revision_history": [
{
"date": "2018-09-20T06:04:40Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"product": {
"name": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"product_id": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"product": {
"name": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"product_id": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"product": {
"name": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"product_id": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"product": {
"name": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"product_id": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"product": {
"name": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"product_id": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch",
"product": {
"name": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch",
"product_id": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"product": {
"name": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"product_id": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64"
}
},
{
"category": "product_version",
"name": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"product": {
"name": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"product_id": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 8",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch"
},
"product_reference": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64"
},
"product_reference": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64"
},
"product_reference": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch"
},
"product_reference": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch"
},
"product_reference": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch"
},
"product_reference": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch"
},
"product_reference": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
},
"product_reference": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-8611",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-8611"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-8611",
"url": "https://www.suse.com/security/cve/CVE-2016-8611"
},
{
"category": "external",
"summary": "SUSE Bug 1005886 for CVE-2016-8611",
"url": "https://bugzilla.suse.com/1005886"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-09-20T06:04:40Z",
"details": "low"
}
],
"title": "CVE-2016-8611"
},
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-09-20T06:04:40Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
WID-SEC-W-2025-1086
Vulnerability from csaf_certbund - Published: 2018-07-24 22:00 - Updated: 2025-05-18 22:00Summary
Red Hat Enterprise Linux: Schwachstelle ermöglicht Offenlegung von Informationen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Die Produkte der Red Hat Enterprise Linux Produktfamilie sind Linux-Distribution der Firma Red Hat.
Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um Informationen offenzulegen.
Betroffene Betriebssysteme: - Linux
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— |
References
9 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Die Produkte der Red Hat Enterprise Linux Produktfamilie sind Linux-Distribution der Firma Red Hat.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1086 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2018/wid-sec-w-2025-1086.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1086 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1086"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2018:2244 vom 2018-07-24",
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2018:2245 vom 2018-07-24",
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2018:2561 vom 2018-09-05",
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2018:2745 vom 2018-09-27",
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2018:3073-1 vom 2018-10-08",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20183073-1.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15127-1 vom 2025-05-18",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WTUL6Z6BEZPYXPSOOLULWWB5HXRXARXY/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15128-1 vom 2025-05-18",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5RRXSPGRXVMLQ5YNC7KQPFZOP56ZV6NB/"
}
],
"source_lang": "en-US",
"title": "Red Hat Enterprise Linux: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
"tracking": {
"current_release_date": "2025-05-18T22:00:00.000+00:00",
"generator": {
"date": "2025-05-19T08:27:28.987+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-1086",
"initial_release_date": "2018-07-24T22:00:00.000+00:00",
"revision_history": [
{
"date": "2018-07-24T22:00:00.000+00:00",
"number": "1",
"summary": "Initial Release"
},
{
"date": "2018-07-24T22:00:00.000+00:00",
"number": "2",
"summary": "Version nicht vorhanden"
},
{
"date": "2018-08-02T22:00:00.000+00:00",
"number": "3",
"summary": "Added references"
},
{
"date": "2018-08-02T22:00:00.000+00:00",
"number": "4",
"summary": "Version nicht vorhanden"
},
{
"date": "2018-09-04T22:00:00.000+00:00",
"number": "5",
"summary": "New remediations available"
},
{
"date": "2018-09-26T22:00:00.000+00:00",
"number": "6",
"summary": "New remediations available"
},
{
"date": "2018-10-08T22:00:00.000+00:00",
"number": "7",
"summary": "New remediations available"
},
{
"date": "2018-10-09T22:00:00.000+00:00",
"number": "8",
"summary": "?"
},
{
"date": "2025-05-18T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von openSUSE aufgenommen"
}
],
"status": "final",
"version": "9"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"product_status": {
"known_affected": [
"T002207",
"67646",
"T027843"
]
},
"release_date": "2018-07-24T22:00:00.000+00:00",
"title": "CVE-2018-3760"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…