Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-3685 (GCVE-0-2019-3685)
Vulnerability from cvelistv5 – Published: 2019-11-05 09:30 – Updated: 2024-09-16 16:49
VLAI?
EPSS
Title
Missing TLS certificate validation for HTTPS connections in osc
Summary
Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary
Severity ?
7.4 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Open Build Service | Open Build Service |
Affected:
unspecified , < 0.165.4
(custom)
|
Date Public ?
2019-07-23 00:00
Credits
Wolfgang Frisch of SUSE
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:16.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1142518"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Open Build Service",
"vendor": "Open Build Service",
"versions": [
{
"lessThan": "0.165.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Wolfgang Frisch of SUSE"
}
],
"datePublic": "2019-07-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T09:30:41.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1142518"
}
],
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1142518",
"defect": [
"1142518"
],
"discovery": "INTERNAL"
},
"title": "Missing TLS certificate validation for HTTPS connections in osc",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2019-07-23T00:00:00.000Z",
"ID": "CVE-2019-3685",
"STATE": "PUBLIC",
"TITLE": "Missing TLS certificate validation for HTTPS connections in osc"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Open Build Service",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.165.4"
}
]
}
}
]
},
"vendor_name": "Open Build Service"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Wolfgang Frisch of SUSE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1142518",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1142518"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1142518",
"defect": [
"1142518"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2019-3685",
"datePublished": "2019-11-05T09:30:41.212Z",
"dateReserved": "2019-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:49:06.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2019-3685",
"date": "2026-04-20",
"epss": "0.0018",
"percentile": "0.39555"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-3685\",\"sourceIdentifier\":\"meissner@suse.de\",\"published\":\"2019-11-05T10:15:12.653\",\"lastModified\":\"2024-11-21T04:42:19.757\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary\"},{\"lang\":\"es\",\"value\":\"Open Build Service anterior a la versi\u00f3n 0.165.4, no valid\u00f3 los certificados TLS para las conexiones HTTPS con el binario del cliente osc\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":5.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensuse:open_build_service:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.165.4\",\"matchCriteriaId\":\"7D01CFBC-5D13-45F7-B49A-59605D139704\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=1142518\",\"source\":\"meissner@suse.de\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=1142518\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
BDU:2020-01354
Vulnerability from fstec - Published: 05.11.2019
VLAI Severity ?
Title
Уязвимость программной платфоры Open Build Service, связанная с ошибками подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности и реализовать атаку типа «человек посередине»
Description
Уязвимость программной платфоры Open Build Service связана с ошибками подтверждения подлинности сертификата. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, обойти существующие ограничения безопасности и реализовать атаку типа «человек посередине»
Severity ?
Vendor
Novell Inc.
Software Name
SUSE Linux Enterprise Module for Open Buildservice Development Tools, OpenSUSE Leap
Software Version
15 SP1 (SUSE Linux Enterprise Module for Open Buildservice Development Tools), 15.1 (OpenSUSE Leap)
Possible Mitigations
Использование рекомендаций производителя:
https://www.suse.com/security/cve/CVE-2019-3685/
Reference
https://www.suse.com/security/cve/CVE-2019-3685/
https://nvd.nist.gov/vuln/detail/CVE-2019-3685
CWE
CWE-295
{
"CVSS 2.0": "AV:N/AC:M/Au:N/C:C/I:C/A:P",
"CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Novell Inc.",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "15 SP1 (SUSE Linux Enterprise Module for Open Buildservice Development Tools), 15.1 (OpenSUSE Leap)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://www.suse.com/security/cve/CVE-2019-3685/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "05.11.2019",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "01.06.2020",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "10.04.2020",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2020-01354",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-3685",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "SUSE Linux Enterprise Module for Open Buildservice Development Tools, OpenSUSE Leap",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Novell Inc. OpenSUSE Leap 15.1 ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u044b Open Build Service, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u0442\u044c \u0430\u0442\u0430\u043a\u0443 \u0442\u0438\u043f\u0430 \u00ab\u0447\u0435\u043b\u043e\u0432\u0435\u043a \u043f\u043e\u0441\u0435\u0440\u0435\u0434\u0438\u043d\u0435\u00bb",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0435 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u0435 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430 (CWE-295)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u044b Open Build Service \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u044f \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u0431\u043e\u0439\u0442\u0438 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u0442\u044c \u0430\u0442\u0430\u043a\u0443 \u0442\u0438\u043f\u0430 \u00ab\u0447\u0435\u043b\u043e\u0432\u0435\u043a \u043f\u043e\u0441\u0435\u0440\u0435\u0434\u0438\u043d\u0435\u00bb",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.suse.com/security/cve/CVE-2019-3685/\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3685",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-295",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,7)"
}
SUSE-SU-2022:4351-1
Vulnerability from csaf_suse - Published: 2022-12-07 16:38 - Updated: 2022-12-07 16:38Summary
Security update for osc
Severity
Important
Notes
Title of the patch: Security update for osc
Description of the patch: This update for osc fixes the following issues:
osc was updated to version 0.182.0 (bsc#1154972, bsc#1144211, bsc#1142662, bsc#1140697, bsc#1138165):
- Added MFA support (jsc#OBS-203).
- CVE-2019-3681: Fixed vulnerability where osc stored downloaded RPMs in network controlled paths (bsc#1122675).
- CVE-2019-3685: Fixed broken TLS certificate handling (bsc#1142518).
Bugfixes:
- Removed use of chardet to guess encoding. Utf-8 or latin-1 is now assumed, which will speed up decoding (bsc#1173926).
- Added helper method _html_escape to enable python3.8 and python2.* compatibility (bsc#1166537).
- Added MR creation to honor orev (bsc#1160446).
- Fixed local build outside of the working copy of a package (bsc#1136584).
- Don't enforce password reuse (bsc#1156501).
- osc vc --file=foo bar.changes now writes the content from foo into bar.changes instead of creating a new file (bsc#1155953).
- Fixed decoding on osc lbl (bsc#1137477).
- Simplified and fixed osc meta -e (bsc#1138977).
- osc lbl now works with non utf8 encoding (bsc#1129889).
- Added full python3 compatibility (bsc#1125243, bsc#1131512, bsc#1129757).
- Fixed slowdown of rbl with readline(bufsize) function (bsc#1127932).
- Fixed osc build -p dir TypeError (bsc#1126055).
- Fixed osc buildinfo -p TypeError (bsc#1126058).
- Added new options --unexpand and --meta to diff command (bsc#1089025).
- Fixed Requires to python-base which does not contain ssl.py (bsc#1097996).
Patchnames: SUSE-2022-4351,SUSE-SLE-SDK-12-SP5-2022-4351
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.2 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.4 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for osc",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for osc fixes the following issues:\n\n osc was updated to version 0.182.0 (bsc#1154972, bsc#1144211, bsc#1142662, bsc#1140697, bsc#1138165):\n\n - Added MFA support (jsc#OBS-203).\n - CVE-2019-3681: Fixed vulnerability where osc stored downloaded RPMs in network controlled paths (bsc#1122675).\n - CVE-2019-3685: Fixed broken TLS certificate handling (bsc#1142518). \n\n Bugfixes:\n - Removed use of chardet to guess encoding. Utf-8 or latin-1 is now assumed, which will speed up decoding (bsc#1173926).\n - Added helper method _html_escape to enable python3.8 and python2.* compatibility (bsc#1166537).\n - Added MR creation to honor orev (bsc#1160446).\n - Fixed local build outside of the working copy of a package (bsc#1136584).\n - Don\u0027t enforce password reuse (bsc#1156501).\n - osc vc --file=foo bar.changes now writes the content from foo into bar.changes instead of creating a new file (bsc#1155953).\n - Fixed decoding on osc lbl (bsc#1137477).\n - Simplified and fixed osc meta -e (bsc#1138977).\n - osc lbl now works with non utf8 encoding (bsc#1129889).\n - Added full python3 compatibility (bsc#1125243, bsc#1131512, bsc#1129757).\n - Fixed slowdown of rbl with readline(bufsize) function (bsc#1127932).\n - Fixed osc build -p dir TypeError (bsc#1126055).\n - Fixed osc buildinfo -p TypeError (bsc#1126058).\n - Added new options --unexpand and --meta to diff command (bsc#1089025).\n - Fixed Requires to python-base which does not contain ssl.py (bsc#1097996).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2022-4351,SUSE-SLE-SDK-12-SP5-2022-4351",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_4351-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:4351-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-20224351-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:4351-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-December/013202.html"
},
{
"category": "self",
"summary": "SUSE Bug 1089025",
"url": "https://bugzilla.suse.com/1089025"
},
{
"category": "self",
"summary": "SUSE Bug 1097996",
"url": "https://bugzilla.suse.com/1097996"
},
{
"category": "self",
"summary": "SUSE Bug 1122675",
"url": "https://bugzilla.suse.com/1122675"
},
{
"category": "self",
"summary": "SUSE Bug 1125243",
"url": "https://bugzilla.suse.com/1125243"
},
{
"category": "self",
"summary": "SUSE Bug 1126055",
"url": "https://bugzilla.suse.com/1126055"
},
{
"category": "self",
"summary": "SUSE Bug 1126058",
"url": "https://bugzilla.suse.com/1126058"
},
{
"category": "self",
"summary": "SUSE Bug 1127932",
"url": "https://bugzilla.suse.com/1127932"
},
{
"category": "self",
"summary": "SUSE Bug 1129757",
"url": "https://bugzilla.suse.com/1129757"
},
{
"category": "self",
"summary": "SUSE Bug 1129889",
"url": "https://bugzilla.suse.com/1129889"
},
{
"category": "self",
"summary": "SUSE Bug 1131512",
"url": "https://bugzilla.suse.com/1131512"
},
{
"category": "self",
"summary": "SUSE Bug 1136584",
"url": "https://bugzilla.suse.com/1136584"
},
{
"category": "self",
"summary": "SUSE Bug 1137477",
"url": "https://bugzilla.suse.com/1137477"
},
{
"category": "self",
"summary": "SUSE Bug 1138165",
"url": "https://bugzilla.suse.com/1138165"
},
{
"category": "self",
"summary": "SUSE Bug 1138977",
"url": "https://bugzilla.suse.com/1138977"
},
{
"category": "self",
"summary": "SUSE Bug 1140697",
"url": "https://bugzilla.suse.com/1140697"
},
{
"category": "self",
"summary": "SUSE Bug 1142518",
"url": "https://bugzilla.suse.com/1142518"
},
{
"category": "self",
"summary": "SUSE Bug 1142662",
"url": "https://bugzilla.suse.com/1142662"
},
{
"category": "self",
"summary": "SUSE Bug 1144211",
"url": "https://bugzilla.suse.com/1144211"
},
{
"category": "self",
"summary": "SUSE Bug 1154972",
"url": "https://bugzilla.suse.com/1154972"
},
{
"category": "self",
"summary": "SUSE Bug 1155953",
"url": "https://bugzilla.suse.com/1155953"
},
{
"category": "self",
"summary": "SUSE Bug 1156501",
"url": "https://bugzilla.suse.com/1156501"
},
{
"category": "self",
"summary": "SUSE Bug 1160446",
"url": "https://bugzilla.suse.com/1160446"
},
{
"category": "self",
"summary": "SUSE Bug 1166537",
"url": "https://bugzilla.suse.com/1166537"
},
{
"category": "self",
"summary": "SUSE Bug 1173926",
"url": "https://bugzilla.suse.com/1173926"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-3681 page",
"url": "https://www.suse.com/security/cve/CVE-2019-3681/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-3685 page",
"url": "https://www.suse.com/security/cve/CVE-2019-3685/"
}
],
"title": "Security update for osc",
"tracking": {
"current_release_date": "2022-12-07T16:38:34Z",
"generator": {
"date": "2022-12-07T16:38:34Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:4351-1",
"initial_release_date": "2022-12-07T16:38:34Z",
"revision_history": [
{
"date": "2022-12-07T16:38:34Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "osc-0.182.0-15.12.1.noarch",
"product": {
"name": "osc-0.182.0-15.12.1.noarch",
"product_id": "osc-0.182.0-15.12.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Software Development Kit 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-sdk:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "osc-0.182.0-15.12.1.noarch as component of SUSE Linux Enterprise Software Development Kit 12 SP5",
"product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5:osc-0.182.0-15.12.1.noarch"
},
"product_reference": "osc-0.182.0-15.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-3681",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-3681"
}
],
"notes": [
{
"category": "general",
"text": "A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory allowed remote attackers that can change downloaded packages to overwrite arbitrary files. This issue affects: SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1. SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions prior to 0.162.1-15.9.1. SUSE Linux Enterprise Software Development Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap 15.1 osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory osc versions prior to 0.169.0 .",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:osc-0.182.0-15.12.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-3681",
"url": "https://www.suse.com/security/cve/CVE-2019-3681"
},
{
"category": "external",
"summary": "SUSE Bug 1122675 for CVE-2019-3681",
"url": "https://bugzilla.suse.com/1122675"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:osc-0.182.0-15.12.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:osc-0.182.0-15.12.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-12-07T16:38:34Z",
"details": "moderate"
}
],
"title": "CVE-2019-3681"
},
{
"cve": "CVE-2019-3685",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-3685"
}
],
"notes": [
{
"category": "general",
"text": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:osc-0.182.0-15.12.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-3685",
"url": "https://www.suse.com/security/cve/CVE-2019-3685"
},
{
"category": "external",
"summary": "SUSE Bug 1142518 for CVE-2019-3685",
"url": "https://bugzilla.suse.com/1142518"
},
{
"category": "external",
"summary": "SUSE Bug 1142662 for CVE-2019-3685",
"url": "https://bugzilla.suse.com/1142662"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:osc-0.182.0-15.12.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Software Development Kit 12 SP5:osc-0.182.0-15.12.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-12-07T16:38:34Z",
"details": "important"
}
],
"title": "CVE-2019-3685"
}
]
}
SUSE-SU-2019:2067-1
Vulnerability from csaf_suse - Published: 2019-08-06 15:22 - Updated: 2019-08-06 15:22Summary
Security update for osc
Severity
Important
Notes
Title of the patch: Security update for osc
Description of the patch: This update for osc to version 0.165.4 fixes the following issues:
Security issue fixed:
- CVE-2019-3685: Fixed broken TLS certificate handling allowing for a Man-in-the-middle attack (bsc#1142518).
Non-security issues fixed:
- support different token operations (runservice, release and rebuild) (requires OBS 2.10)
- fix osc token decode error
- offline build mode is now really offline and does not try to download the buildconfig
- osc build -define now works with python3
- fixes an issue where the error message on osc meta -e was not parsed correctly
- osc maintainer -s now works with python3
- simplified and fixed osc meta -e (bsc#1138977)
- osc lbl now works with non utf8 encoding (bsc#1129889)
- add simpleimage as local build type
- allow optional fork when creating a maintenance request
- fix RPMError fallback
- fix local caching for all package formats
- fix appname for trusted cert store
- osc -h does not break anymore when using plugins
- switch to difflib.diff_bytes and sys.stdout.buffer.write for diffing.
This will fix all decoding issues with osc diff, osc ci and osc rq -d
- fix osc ls -lb handling empty size and mtime
- removed decoding on osc api command.
Patchnames: SUSE-2019-2067,SUSE-SLE-Module-Development-Tools-15-SP1-2019-2067
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.4 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for osc",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for osc to version 0.165.4 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-3685: Fixed broken TLS certificate handling allowing for a Man-in-the-middle attack (bsc#1142518).\n\nNon-security issues fixed:\n\n- support different token operations (runservice, release and rebuild) (requires OBS 2.10)\n- fix osc token decode error\n- offline build mode is now really offline and does not try to download the buildconfig\n- osc build -define now works with python3\n- fixes an issue where the error message on osc meta -e was not parsed correctly\n- osc maintainer -s now works with python3\n- simplified and fixed osc meta -e (bsc#1138977) \n- osc lbl now works with non utf8 encoding (bsc#1129889)\n- add simpleimage as local build type \n- allow optional fork when creating a maintenance request\n- fix RPMError fallback\n- fix local caching for all package formats\n- fix appname for trusted cert store\n- osc -h does not break anymore when using plugins \n- switch to difflib.diff_bytes and sys.stdout.buffer.write for diffing.\n This will fix all decoding issues with osc diff, osc ci and osc rq -d\n- fix osc ls -lb handling empty size and mtime\n- removed decoding on osc api command.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2019-2067,SUSE-SLE-Module-Development-Tools-15-SP1-2019-2067",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_2067-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2019:2067-1",
"url": "https://www.suse.com/support/update/announcement/2019/suse-su-20192067-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2019:2067-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2019-August/005785.html"
},
{
"category": "self",
"summary": "SUSE Bug 1129889",
"url": "https://bugzilla.suse.com/1129889"
},
{
"category": "self",
"summary": "SUSE Bug 1138977",
"url": "https://bugzilla.suse.com/1138977"
},
{
"category": "self",
"summary": "SUSE Bug 1140697",
"url": "https://bugzilla.suse.com/1140697"
},
{
"category": "self",
"summary": "SUSE Bug 1142518",
"url": "https://bugzilla.suse.com/1142518"
},
{
"category": "self",
"summary": "SUSE Bug 1142662",
"url": "https://bugzilla.suse.com/1142662"
},
{
"category": "self",
"summary": "SUSE Bug 1144211",
"url": "https://bugzilla.suse.com/1144211"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-3685 page",
"url": "https://www.suse.com/security/cve/CVE-2019-3685/"
}
],
"title": "Security update for osc",
"tracking": {
"current_release_date": "2019-08-06T15:22:09Z",
"generator": {
"date": "2019-08-06T15:22:09Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2019:2067-1",
"initial_release_date": "2019-08-06T15:22:09Z",
"revision_history": [
{
"date": "2019-08-06T15:22:09Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "osc-0.165.4-3.9.1.noarch",
"product": {
"name": "osc-0.165.4-3.9.1.noarch",
"product_id": "osc-0.165.4-3.9.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "osc-0.165.4-3.9.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP1",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP1:osc-0.165.4-3.9.1.noarch"
},
"product_reference": "osc-0.165.4-3.9.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-3685",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-3685"
}
],
"notes": [
{
"category": "general",
"text": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:osc-0.165.4-3.9.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-3685",
"url": "https://www.suse.com/security/cve/CVE-2019-3685"
},
{
"category": "external",
"summary": "SUSE Bug 1142518 for CVE-2019-3685",
"url": "https://bugzilla.suse.com/1142518"
},
{
"category": "external",
"summary": "SUSE Bug 1142662 for CVE-2019-3685",
"url": "https://bugzilla.suse.com/1142662"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:osc-0.165.4-3.9.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP1:osc-0.165.4-3.9.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-08-06T15:22:09Z",
"details": "important"
}
],
"title": "CVE-2019-3685"
}
]
}
GHSA-J9GX-CCW3-W6CF
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00
VLAI?
Details
Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary
{
"affected": [],
"aliases": [
"CVE-2019-3685"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-05T10:15:00Z",
"severity": "MODERATE"
},
"details": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary",
"id": "GHSA-j9gx-ccw3-w6cf",
"modified": "2022-05-24T17:00:22Z",
"published": "2022-05-24T17:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3685"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1142518"
}
],
"schema_version": "1.4.0",
"severity": []
}
FKIE_CVE-2019-3685
Vulnerability from fkie_nvd - Published: 2019-11-05 10:15 - Updated: 2024-11-21 04:42
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Summary
Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary
References
| URL | Tags | ||
|---|---|---|---|
| meissner@suse.de | https://bugzilla.suse.com/show_bug.cgi?id=1142518 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.suse.com/show_bug.cgi?id=1142518 | Exploit, Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| opensuse | open_build_service | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:open_build_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D01CFBC-5D13-45F7-B49A-59605D139704",
"versionEndExcluding": "0.165.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary"
},
{
"lang": "es",
"value": "Open Build Service anterior a la versi\u00f3n 0.165.4, no valid\u00f3 los certificados TLS para las conexiones HTTPS con el binario del cliente osc"
}
],
"id": "CVE-2019-3685",
"lastModified": "2024-11-21T04:42:19.757",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "meissner@suse.de",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-05T10:15:12.653",
"references": [
{
"source": "meissner@suse.de",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1142518"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1142518"
}
],
"sourceIdentifier": "meissner@suse.de",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "meissner@suse.de",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GSD-2019-3685
Vulnerability from gsd - Updated: 2023-12-13 01:24Details
Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-3685",
"description": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary",
"id": "GSD-2019-3685",
"references": [
"https://www.suse.com/security/cve/CVE-2019-3685.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-3685"
],
"details": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary",
"id": "GSD-2019-3685",
"modified": "2023-12-13T01:24:03.015020Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2019-07-23T00:00:00.000Z",
"ID": "CVE-2019-3685",
"STATE": "PUBLIC",
"TITLE": "Missing TLS certificate validation for HTTPS connections in osc"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Open Build Service",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.165.4"
}
]
}
}
]
},
"vendor_name": "Open Build Service"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Wolfgang Frisch of SUSE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1142518",
"refsource": "CONFIRM",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1142518"
}
]
},
"source": {
"advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1142518",
"defect": [
"1142518"
],
"discovery": "INTERNAL"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:opensuse:open_build_service:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.165.4",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"ID": "CVE-2019-3685"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1142518",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1142518"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.5
}
},
"lastModifiedDate": "2019-11-08T16:35Z",
"publishedDate": "2019-11-05T10:15Z"
}
}
}
OPENSUSE-SU-2019:1844-1
Vulnerability from csaf_opensuse - Published: 2019-08-12 14:08 - Updated: 2019-08-12 14:08Summary
Security update for osc
Severity
Important
Notes
Title of the patch: Security update for osc
Description of the patch: This update for osc to version 0.165.4 fixes the following issues:
Security issue fixed:
- CVE-2019-3685: Fixed broken TLS certificate handling allowing for a Man-in-the-middle attack (bsc#1142518).
Non-security issues fixed:
- support different token operations (runservice, release and rebuild) (requires OBS 2.10)
- fix osc token decode error
- offline build mode is now really offline and does not try to download the buildconfig
- osc build -define now works with python3
- fixes an issue where the error message on osc meta -e was not parsed correctly
- osc maintainer -s now works with python3
- simplified and fixed osc meta -e (bsc#1138977)
- osc lbl now works with non utf8 encoding (bsc#1129889)
- add simpleimage as local build type
- allow optional fork when creating a maintenance request
- fix RPMError fallback
- fix local caching for all package formats
- fix appname for trusted cert store
- osc -h does not break anymore when using plugins
- switch to difflib.diff_bytes and sys.stdout.buffer.write for diffing.
This will fix all decoding issues with osc diff, osc ci and osc rq -d
- fix osc ls -lb handling empty size and mtime
- removed decoding on osc api command.
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patchnames: openSUSE-2019-1844
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.4 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for osc",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for osc to version 0.165.4 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-3685: Fixed broken TLS certificate handling allowing for a Man-in-the-middle attack (bsc#1142518).\n\nNon-security issues fixed:\n\n- support different token operations (runservice, release and rebuild) (requires OBS 2.10)\n- fix osc token decode error\n- offline build mode is now really offline and does not try to download the buildconfig\n- osc build -define now works with python3\n- fixes an issue where the error message on osc meta -e was not parsed correctly\n- osc maintainer -s now works with python3\n- simplified and fixed osc meta -e (bsc#1138977) \n- osc lbl now works with non utf8 encoding (bsc#1129889)\n- add simpleimage as local build type \n- allow optional fork when creating a maintenance request\n- fix RPMError fallback\n- fix local caching for all package formats\n- fix appname for trusted cert store\n- osc -h does not break anymore when using plugins \n- switch to difflib.diff_bytes and sys.stdout.buffer.write for diffing.\n This will fix all decoding issues with osc diff, osc ci and osc rq -d\n- fix osc ls -lb handling empty size and mtime\n- removed decoding on osc api command.\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-1844",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_1844-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:1844-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M2AIZJVEMKESSHPXKBTNWAXKY4GTXTFO/#M2AIZJVEMKESSHPXKBTNWAXKY4GTXTFO"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:1844-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M2AIZJVEMKESSHPXKBTNWAXKY4GTXTFO/#M2AIZJVEMKESSHPXKBTNWAXKY4GTXTFO"
},
{
"category": "self",
"summary": "SUSE Bug 1129889",
"url": "https://bugzilla.suse.com/1129889"
},
{
"category": "self",
"summary": "SUSE Bug 1138977",
"url": "https://bugzilla.suse.com/1138977"
},
{
"category": "self",
"summary": "SUSE Bug 1140697",
"url": "https://bugzilla.suse.com/1140697"
},
{
"category": "self",
"summary": "SUSE Bug 1142518",
"url": "https://bugzilla.suse.com/1142518"
},
{
"category": "self",
"summary": "SUSE Bug 1142662",
"url": "https://bugzilla.suse.com/1142662"
},
{
"category": "self",
"summary": "SUSE Bug 1144211",
"url": "https://bugzilla.suse.com/1144211"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-3685 page",
"url": "https://www.suse.com/security/cve/CVE-2019-3685/"
}
],
"title": "Security update for osc",
"tracking": {
"current_release_date": "2019-08-12T14:08:22Z",
"generator": {
"date": "2019-08-12T14:08:22Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:1844-1",
"initial_release_date": "2019-08-12T14:08:22Z",
"revision_history": [
{
"date": "2019-08-12T14:08:22Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "osc-0.165.4-lp151.2.6.1.noarch",
"product": {
"name": "osc-0.165.4-lp151.2.6.1.noarch",
"product_id": "osc-0.165.4-lp151.2.6.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "osc-0.165.4-lp151.2.6.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:osc-0.165.4-lp151.2.6.1.noarch"
},
"product_reference": "osc-0.165.4-lp151.2.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-3685",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-3685"
}
],
"notes": [
{
"category": "general",
"text": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:osc-0.165.4-lp151.2.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-3685",
"url": "https://www.suse.com/security/cve/CVE-2019-3685"
},
{
"category": "external",
"summary": "SUSE Bug 1142518 for CVE-2019-3685",
"url": "https://bugzilla.suse.com/1142518"
},
{
"category": "external",
"summary": "SUSE Bug 1142662 for CVE-2019-3685",
"url": "https://bugzilla.suse.com/1142662"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:osc-0.165.4-lp151.2.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.1:osc-0.165.4-lp151.2.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-08-12T14:08:22Z",
"details": "important"
}
],
"title": "CVE-2019-3685"
}
]
}
OPENSUSE-SU-2024:11133-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
osc-0.174.0-1.2 on GA media
Severity
Moderate
Notes
Title of the patch: osc-0.174.0-1.2 on GA media
Description of the patch: These are all security issues fixed in the osc-0.174.0-1.2 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11133
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.2 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.4 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "osc-0.174.0-1.2 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the osc-0.174.0-1.2 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11133",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11133-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-3681 page",
"url": "https://www.suse.com/security/cve/CVE-2019-3681/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-3685 page",
"url": "https://www.suse.com/security/cve/CVE-2019-3685/"
}
],
"title": "osc-0.174.0-1.2 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11133-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "osc-0.174.0-1.2.aarch64",
"product": {
"name": "osc-0.174.0-1.2.aarch64",
"product_id": "osc-0.174.0-1.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "osc-0.174.0-1.2.ppc64le",
"product": {
"name": "osc-0.174.0-1.2.ppc64le",
"product_id": "osc-0.174.0-1.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "osc-0.174.0-1.2.s390x",
"product": {
"name": "osc-0.174.0-1.2.s390x",
"product_id": "osc-0.174.0-1.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "osc-0.174.0-1.2.x86_64",
"product": {
"name": "osc-0.174.0-1.2.x86_64",
"product_id": "osc-0.174.0-1.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "osc-0.174.0-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:osc-0.174.0-1.2.aarch64"
},
"product_reference": "osc-0.174.0-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osc-0.174.0-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:osc-0.174.0-1.2.ppc64le"
},
"product_reference": "osc-0.174.0-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osc-0.174.0-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:osc-0.174.0-1.2.s390x"
},
"product_reference": "osc-0.174.0-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osc-0.174.0-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:osc-0.174.0-1.2.x86_64"
},
"product_reference": "osc-0.174.0-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-3681",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-3681"
}
],
"notes": [
{
"category": "general",
"text": "A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory allowed remote attackers that can change downloaded packages to overwrite arbitrary files. This issue affects: SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1. SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions prior to 0.162.1-15.9.1. SUSE Linux Enterprise Software Development Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap 15.1 osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory osc versions prior to 0.169.0 .",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:osc-0.174.0-1.2.aarch64",
"openSUSE Tumbleweed:osc-0.174.0-1.2.ppc64le",
"openSUSE Tumbleweed:osc-0.174.0-1.2.s390x",
"openSUSE Tumbleweed:osc-0.174.0-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-3681",
"url": "https://www.suse.com/security/cve/CVE-2019-3681"
},
{
"category": "external",
"summary": "SUSE Bug 1122675 for CVE-2019-3681",
"url": "https://bugzilla.suse.com/1122675"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:osc-0.174.0-1.2.aarch64",
"openSUSE Tumbleweed:osc-0.174.0-1.2.ppc64le",
"openSUSE Tumbleweed:osc-0.174.0-1.2.s390x",
"openSUSE Tumbleweed:osc-0.174.0-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:osc-0.174.0-1.2.aarch64",
"openSUSE Tumbleweed:osc-0.174.0-1.2.ppc64le",
"openSUSE Tumbleweed:osc-0.174.0-1.2.s390x",
"openSUSE Tumbleweed:osc-0.174.0-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2019-3681"
},
{
"cve": "CVE-2019-3685",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-3685"
}
],
"notes": [
{
"category": "general",
"text": "Open Build Service before version 0.165.4 diddn\u0027t validate TLS certificates for HTTPS connections with the osc client binary",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:osc-0.174.0-1.2.aarch64",
"openSUSE Tumbleweed:osc-0.174.0-1.2.ppc64le",
"openSUSE Tumbleweed:osc-0.174.0-1.2.s390x",
"openSUSE Tumbleweed:osc-0.174.0-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-3685",
"url": "https://www.suse.com/security/cve/CVE-2019-3685"
},
{
"category": "external",
"summary": "SUSE Bug 1142518 for CVE-2019-3685",
"url": "https://bugzilla.suse.com/1142518"
},
{
"category": "external",
"summary": "SUSE Bug 1142662 for CVE-2019-3685",
"url": "https://bugzilla.suse.com/1142662"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:osc-0.174.0-1.2.aarch64",
"openSUSE Tumbleweed:osc-0.174.0-1.2.ppc64le",
"openSUSE Tumbleweed:osc-0.174.0-1.2.s390x",
"openSUSE Tumbleweed:osc-0.174.0-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:osc-0.174.0-1.2.aarch64",
"openSUSE Tumbleweed:osc-0.174.0-1.2.ppc64le",
"openSUSE Tumbleweed:osc-0.174.0-1.2.s390x",
"openSUSE Tumbleweed:osc-0.174.0-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2019-3685"
}
]
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…