{"f5": [{"lastseen": "2020-04-06T22:39:44", "bulletinFamily": "software", "cvelist": ["CVE-2019-12900"], "description": "\nF5 Product Development has assigned ID 819125 (BIG-IP), ID 819125-7 (BIG-IQ), ID 819125-8 (Enterprise Manager), ID 819125-9 (iWorkflow), and CPF-25132 and CPF-25133 (Traffix SDC) to this vulnerability.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, WebAccelerator) | 15.x | 15.0.0 - 15.0.1 | None | Medium | [4.0](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | **bzip2** utility \n14.x | 14.1.0 - 14.1.2 | None \n13.x | 13.1.0 - 13.1.3 | None \n12.x | 12.1.0 - 12.1.5 | None \n11.x | 11.5.2 - 11.6.5 | None \nBIG-IP (AAM) | 15.x | 15.0.0 - 15.0.1 | None | Critical | [9.0](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H>) | iSession profile with bzip2 compression enabled, **bzip2** utility \n14.x | 14.1.0 - 14.1.2 | None \n13.x | 13.1.0 - 13.1.3 | None \n12.x | 12.1.0 - 12.1.5 | None \n11.x | 11.5.2 - 11.6.5 | None \nBIG-IP (PEM) | 15.x | None | Not applicable | Not vulnerable2 | None | None \n14.x | None | Not applicable \n13.x | None | Not applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nEnterprise Manager | 3.x | 3.1.1 | None | Medium | [4.0](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | **bzip2** utility \nBIG-IQ Centralized Management | 7.x | 7.0.0 | None | Medium | [4.0](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | **bzip2** utility \n6.x | 6.0.0 - 6.1.0 | None \n5.x | 5.2.0 - 5.4.0 | None \nF5 iWorkflow | 2.x | 2.3.0 | None | Medium | [4.0](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | **bzip2** utility \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Medium | [4.0](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | **bzip2** utility \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n2The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nBIG-IP AAM\n\nTo mitigate this vulnerability for BIG-IP AAM, you can disable bzip2 compression in any configured iSession profile. To do so, perform one of the following procedures:\n\n * [Using the Configuration utility to disable bzip2 compression](<https://support.f5.com/csp/article/K68713584#gui>)\n * [Using tmsh to disable bzip2 compression ](<https://support.f5.com/csp/article/K68713584#tmsh>)\n\nUsing the Configuration utility to disable bzip2 compression \n\n**Impact of action**: Disabling compression may result in higher latency between iSession endpoints. F5 recommends only disabling bzip2 compression. Additionally, you should perform testing within a maintenance window to ensure changes are compatible with your environment.\n\n 1. Log in to the Configuration utility.\n 2. Go to **Local Traffic** > **Profiles** > **Services** > **iSession**.\n 3. Select the name of your iSession profile.\n 4. Under **Compression Settings**, for **Bzip2**, select **Disabled**.\n 5. Select **Update**.\n 6. Repeat this procedure on the corresponding BIG-IP iSession tunnel endpoint.\n\nUsing tmsh to disable bzip2 compression \n\n**Impact of action**: Disabling compression may result in higher latency between iSession endpoints. F5 recommends only disabling bzip2 compression. Additionally, you should perform testing within a maintenance window to ensure changes are compatible with your environment.\n\n 1. Log in to the TMOS Shell (**tmsh**) by entering the following command: \n\ntmsh\n\n 2. To disable bzip2 compression for your iSession profile, use the following command syntax: \n\nmodify /wom profile isession <profile name> compression-codecs delete { bzip2 }\n\nFor example, to disable bzip2 compression in an iSession profile named **my-iSession**, enter the following command:\n\nmodify /wom profile isession my-iSession compression-codecs delete { bzip2 }\n\n 3. To view the configuration, use the following command syntax: \n\nlist /wom profile isession <profile name>\n\nOutput appears similar to the following example for a profile named **my-iSession**:\n\nwom profile isession my-iSession { \n app-service none \n compression-codecs { deflate lzo } \n defaults-from isession \n}\n\n 4. Save the configuration by entering the following command: \n\nsave /sys config\n\nBIG-IP, BIG-IQ, iWorkflow, Enterprise Manager, and Traffix SDC\n\nNone. F5 recommends that you restrict local access to trusted administrative users.\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 15.x)](<https://support.f5.com/csp/article/K13123>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix and point release matrix](<https://support.f5.com/csp/article/K15113>)\n * [K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later)](<https://support.f5.com/csp/article/K48955220>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>)\n", "edition": 1, "modified": "2019-11-14T00:37:00", "published": "2019-11-14T00:19:00", "id": "F5:K68713584", "href": "https://support.f5.com/csp/article/K68713584", "title": "bzip2 vulnerability CVE-2019-12900", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2019-07-21T13:42:45", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900"], "description": "This update for bzip2 fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many\n selectors (bsc#1139083).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-07-21T12:26:52", "published": "2019-07-21T12:26:52", "id": "OPENSUSE-SU-2019:1781-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html", "title": "Security update for bzip2 (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-15T16:32:17", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900"], "description": "This update for bzip2 fixes the following issues:\n\n - Fixed a regression with the fix for CVE-2019-12900, which caused\n incompatibilities with files that used many selectors (bsc#1139083).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-08-15T15:27:53", "published": "2019-08-15T15:27:53", "id": "OPENSUSE-SU-2019:1918-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html", "title": "Security update for bzip2 (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-01T09:26:06", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2019-12625"], "description": "This update for clamav fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and\n heuristics for zips with overlapping files (bsc#1144504).\n - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many\n selectors (bsc#1149458).\n\n Non-security issues fixed:\n\n - Added the --max-scantime clamscan option and MaxScanTime clamd\n configuration option (bsc#1144504).\n - Increased the startup timeout of clamd to 5 minutes to cater for the\n grown virus database as a workaround until clamd has learned to talk to\n systemd to extend the timeout as long as needed (bsc#1151839).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-12-01T06:10:56", "published": "2019-12-01T06:10:56", "id": "OPENSUSE-SU-2019:2597-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html", "title": "Security update for clamav (moderate)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-01T03:24:52", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2019-12625"], "description": "This update for clamav fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and\n heuristics for zips with overlapping files (bsc#1144504).\n - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many\n selectors (bsc#1149458).\n\n Non-security issues fixed:\n\n - Added the --max-scantime clamscan option and MaxScanTime clamd\n configuration option (bsc#1144504).\n - Increased the startup timeout of clamd to 5 minutes to cater for the\n grown virus database as a workaround until clamd has learned to talk to\n systemd to extend the timeout as long as needed (bsc#1151839).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-12-01T00:13:17", "published": "2019-12-01T00:13:17", "id": "OPENSUSE-SU-2019:2595-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html", "title": "Security update for clamav (moderate)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T00:47:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900"], "description": "Package : bzip2\nVersion : 1.0.6-4+deb7u2\nCVE ID : CVE-2019-12900\n\n\n\nThe original fix for CVE-2019-12900 in bzip2, a high-quality \nblock-sorting file compressor, introduces regressions when extracting \ncertain lbzip2 files which were created with a buggy libzip2.\n\nPlease see https://bugs.debian.org/931278 for more information.\n\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n1.0.6-4+deb7u2.\n\nWe recommend that you upgrade your bzip2 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n", "edition": 7, "modified": "2019-07-18T20:30:31", "published": "2019-07-18T20:30:31", "id": "DEBIAN:DLA-1833-2:ADF1A", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201907/msg00014.html", "title": "[SECURITY] [DLA 1833-2] bzip2 regression update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T01:02:33", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2016-3189"], "description": "Package : bzip2\nVersion : 1.0.6-7+deb8u1\nCVE ID : CVE-2016-3189 CVE-2019-12900\n\n\nTwo issues in bzip2, a high-quality block-sorting file compressor, have \nbeen fixed. One, CVE-2019-12900, is a out-of-bounds write when using a \ncrafted compressed file. The other, CVE-2016-3189, is a potential \nuser-after-free.\n\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n1.0.6-7+deb8u1.\n\nWe recommend that you upgrade your bzip2 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n", "edition": 9, "modified": "2019-06-24T20:25:30", "published": "2019-06-24T20:25:30", "id": "DEBIAN:DLA-1833-1:50B37", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201906/msg00021.html", "title": "[SECURITY] [DLA 1833-1] bzip2 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T00:47:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2019-12625"], "description": "Package : clamav\nVersion : 0.101.4+dfsg-0+deb8u2\nCVE ID : CVE-2019-12625 CVE-2019-12900\nDebian Bug : 942172\n\nThe update of clamav released as DLA 1953-1 led to permission issues on\n/var/run/clamav. This caused several users to experience issues restarting the\nclamav daemon. This regression is caused by a mistakenly backported patch from\nthe stretch package, upon which this update was based.\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n0.101.4+dfsg-0+deb8u2.\n\nWe recommend that you upgrade your clamav packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 9, "modified": "2019-10-14T11:28:53", "published": "2019-10-14T11:28:53", "id": "DEBIAN:DLA-1953-2:E26E9", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201910/msg00018.html", "title": "[SECURITY] [DLA 1953-2] clamav regression update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T01:03:38", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2019-12625"], "description": "Package : clamav\nVersion : 0.101.4+dfsg-0+deb8u1\nCVE ID : CVE-2019-12625 CVE-2019-12900\nDebian Bug : 34359\n\nIt was discovered that clamav, the open source antivirus engine, is affected by\nthe following security vulnerabilities:\n\nCVE-2019-12625\n\n Denial of Service (DoS) vulnerability, resulting from excessively long scan\n times caused by non-recursive zip bombs. Among others, this issue was\n mitigated by introducing a scan time limit.\n\nCVE-2019-12900\n\n Out-of-bounds write in ClamAV's NSIS bzip2 library when attempting\n decompression in cases where the number of selectors exceeded the max limit\n set by the library.\n\nThis update triggers a transition from libclamav7 to libclama9. As a result,\nseveral other packages will be recompiled against the fixed package after the\nrelease of this update: dansguardian, havp, python-pyclamav, c-icap-modules.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n0.101.4+dfsg-0+deb8u1.\n\nWe recommend that you upgrade your clamav packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 9, "modified": "2019-10-10T10:52:27", "published": "2019-10-10T10:52:27", "id": "DEBIAN:DLA-1953-1:02211", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201910/msg00012.html", "title": "[SECURITY] [DLA 1953-1] clamav security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-10-24T05:13:29", "description": "An update of the bzip2 package has been released.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-04T00:00:00", "title": "Photon OS 1.0: Bzip2 PHSA-2019-1.0-0242", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-07-04T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:bzip2", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2019-1_0-0242_BZIP2.NASL", "href": "https://www.tenable.com/plugins/nessus/126471", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-1.0-0242. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126471);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/23\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"Photon OS 1.0: Bzip2 PHSA-2019-1.0-0242\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the bzip2 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-242.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"bzip2-1.0.6-7.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"bzip2-debuginfo-1.0.6-7.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"bzip2-devel-1.0.6-7.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-14T06:19:59", "description": "This update for bzip2 fixes the following issues :\n\nFixed a regression with the fix for CVE-2019-12900, which caused\nincompatibilities with files that used many selectors (bsc#1139083).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : bzip2 (SUSE-SU-2019:2004-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-08-12T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libbz2", "p-cpe:/a:novell:suse_linux:bzip2-debugsource", "p-cpe:/a:novell:suse_linux:libbz2-1-32bit-debuginfo", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:libbz2-1-debuginfo", "p-cpe:/a:novell:suse_linux:bzip2-debuginfo", "p-cpe:/a:novell:suse_linux:libbz2-1", "p-cpe:/a:novell:suse_linux:libbz2-devel", "p-cpe:/a:novell:suse_linux:bzip2"], "id": "SUSE_SU-2019-2004-1.NASL", "href": "https://www.tenable.com/plugins/nessus/127747", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2004-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127747);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : bzip2 (SUSE-SU-2019:2004-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for bzip2 fixes the following issues :\n\nFixed a regression with the fix for CVE-2019-12900, which caused\nincompatibilities with files that used many selectors (bsc#1139083).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1139083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-12900/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192004-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?91f3b5f8\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2004=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-2004=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-SP1-2019-2004=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2019-2004=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bzip2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bzip2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-1-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-devel-32bit-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"bzip2-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"bzip2-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"bzip2-debugsource-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libbz2-1-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libbz2-1-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libbz2-devel-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"bzip2-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"bzip2-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"bzip2-debugsource-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libbz2-1-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libbz2-1-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libbz2-devel-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-devel-32bit-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"bzip2-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"bzip2-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"bzip2-debugsource-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libbz2-1-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libbz2-1-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libbz2-devel-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"bzip2-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"bzip2-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"bzip2-debugsource-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libbz2-1-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libbz2-1-debuginfo-1.0.6-5.9.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libbz2-devel-1.0.6-5.9.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:59:37", "description": "According to the version of the bzip2 packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - BZ2_decompress in decompress.c in bzip2 through 1.0.6\n has an out-of-bounds write when there are many\n selectors.(CVE-2019-12900)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-24T00:00:00", "title": "EulerOS 2.0 SP3 : bzip2 (EulerOS-SA-2019-2057)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-09-24T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bzip2-devel", "p-cpe:/a:huawei:euleros:bzip2-libs", "p-cpe:/a:huawei:euleros:bzip2", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2057.NASL", "href": "https://www.tenable.com/plugins/nessus/129250", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129250);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"EulerOS 2.0 SP3 : bzip2 (EulerOS-SA-2019-2057)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the bzip2 packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - BZ2_decompress in decompress.c in bzip2 through 1.0.6\n has an out-of-bounds write when there are many\n selectors.(CVE-2019-12900)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2057\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1e7542c1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bzip2 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"bzip2-1.0.6-13.h3\",\n \"bzip2-devel-1.0.6-13.h3\",\n \"bzip2-libs-1.0.6-13.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:58:57", "description": "According to the version of the bzip2 packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - BZ2_decompress in decompress.c in bzip2 through 1.0.6\n has an out-of-bounds write when there are many\n selectors.(CVE-2019-12900)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-23T00:00:00", "title": "EulerOS 2.0 SP5 : bzip2 (EulerOS-SA-2019-1757)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-07-23T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bzip2-devel", "p-cpe:/a:huawei:euleros:bzip2-libs", "p-cpe:/a:huawei:euleros:bzip2", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1757.NASL", "href": "https://www.tenable.com/plugins/nessus/126933", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(126933);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"EulerOS 2.0 SP5 : bzip2 (EulerOS-SA-2019-1757)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the bzip2 packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - BZ2_decompress in decompress.c in bzip2 through 1.0.6\n has an out-of-bounds write when there are many\n selectors.(CVE-2019-12900)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1757\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3f06da64\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bzip2 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"bzip2-1.0.6-14.h3.eulerosv2r7\",\n \"bzip2-devel-1.0.6-14.h3.eulerosv2r7\",\n \"bzip2-libs-1.0.6-14.h3.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-14T06:19:28", "description": "This update for bzip2 fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many\nselectors (bsc#1139083).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-16T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : bzip2 (SUSE-SU-2019:1846-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-07-16T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libbz2", "p-cpe:/a:novell:suse_linux:bzip2-debugsource", "p-cpe:/a:novell:suse_linux:libbz2-1-32bit-debuginfo", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:libbz2-1-debuginfo", "p-cpe:/a:novell:suse_linux:bzip2-debuginfo", "p-cpe:/a:novell:suse_linux:libbz2-1", "p-cpe:/a:novell:suse_linux:libbz2-devel", "p-cpe:/a:novell:suse_linux:bzip2"], "id": "SUSE_SU-2019-1846-1.NASL", "href": "https://www.tenable.com/plugins/nessus/126737", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:1846-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126737);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : bzip2 (SUSE-SU-2019:1846-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for bzip2 fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many\nselectors (bsc#1139083).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1139083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-12900/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20191846-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2e3f019f\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-1846=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-1846=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-SP1-2019-1846=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2019-1846=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bzip2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bzip2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-1-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-devel-32bit-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"bzip2-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"bzip2-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"bzip2-debugsource-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libbz2-1-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libbz2-1-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libbz2-devel-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"bzip2-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"bzip2-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"bzip2-debugsource-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libbz2-1-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libbz2-1-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libbz2-devel-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libbz2-devel-32bit-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"bzip2-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"bzip2-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"bzip2-debugsource-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libbz2-1-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libbz2-1-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libbz2-devel-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"bzip2-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"bzip2-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"bzip2-debugsource-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libbz2-1-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libbz2-1-debuginfo-1.0.6-5.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libbz2-devel-1.0.6-5.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-24T08:08:30", "description": "This update for bzip2 fixes the following issues :\n\n - Fixed a regression with the fix for CVE-2019-12900,\n which caused incompatibilities with files that used many\n selectors (bsc#1139083).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-20T00:00:00", "title": "openSUSE Security Update : bzip2 (openSUSE-2019-1918)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-08-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bzip2", "p-cpe:/a:novell:opensuse:libbz2-1-32bit-debuginfo", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:bzip2-debuginfo", "p-cpe:/a:novell:opensuse:bzip2-debugsource", "p-cpe:/a:novell:opensuse:libbz2-1-debuginfo", "p-cpe:/a:novell:opensuse:libbz2-devel", "p-cpe:/a:novell:opensuse:libbz2-1", "p-cpe:/a:novell:opensuse:libbz2-devel-32bit", "p-cpe:/a:novell:opensuse:libbz2-1-32bit"], "id": "OPENSUSE-2019-1918.NASL", "href": "https://www.tenable.com/plugins/nessus/128010", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-1918.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128010);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/23\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"openSUSE Security Update : bzip2 (openSUSE-2019-1918)\");\n script_summary(english:\"Check for the openSUSE-2019-1918 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for bzip2 fixes the following issues :\n\n - Fixed a regression with the fix for CVE-2019-12900,\n which caused incompatibilities with files that used many\n selectors (bsc#1139083).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1139083\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected bzip2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bzip2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bzip2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-1-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"bzip2-1.0.6-lp151.5.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"bzip2-debuginfo-1.0.6-lp151.5.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"bzip2-debugsource-1.0.6-lp151.5.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libbz2-1-1.0.6-lp151.5.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libbz2-1-debuginfo-1.0.6-lp151.5.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libbz2-devel-1.0.6-lp151.5.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-lp151.5.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-lp151.5.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libbz2-devel-32bit-1.0.6-lp151.5.9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2 / bzip2-debuginfo / bzip2-debugsource / libbz2-1 / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-24T08:07:52", "description": "This update for bzip2 fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2019-12900: Fixed an out-of-bounds write in\n decompress.c with many selectors (bsc#1139083).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-22T00:00:00", "title": "openSUSE Security Update : bzip2 (openSUSE-2019-1781)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-07-22T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bzip2", "p-cpe:/a:novell:opensuse:libbz2-1-32bit-debuginfo", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:bzip2-debuginfo", "p-cpe:/a:novell:opensuse:bzip2-debugsource", "p-cpe:/a:novell:opensuse:libbz2-1-debuginfo", "p-cpe:/a:novell:opensuse:libbz2-devel", "p-cpe:/a:novell:opensuse:libbz2-1", "p-cpe:/a:novell:opensuse:libbz2-devel-32bit", "p-cpe:/a:novell:opensuse:libbz2-1-32bit"], "id": "OPENSUSE-2019-1781.NASL", "href": "https://www.tenable.com/plugins/nessus/126911", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-1781.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126911);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/23\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"openSUSE Security Update : bzip2 (openSUSE-2019-1781)\");\n script_summary(english:\"Check for the openSUSE-2019-1781 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for bzip2 fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2019-12900: Fixed an out-of-bounds write in\n decompress.c with many selectors (bsc#1139083).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1139083\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected bzip2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bzip2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bzip2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-1-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libbz2-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/22\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"bzip2-1.0.6-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"bzip2-debuginfo-1.0.6-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"bzip2-debugsource-1.0.6-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libbz2-1-1.0.6-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libbz2-1-debuginfo-1.0.6-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libbz2-devel-1.0.6-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-debuginfo-1.0.6-lp151.5.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libbz2-devel-32bit-1.0.6-lp151.5.6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2 / bzip2-debuginfo / bzip2-debugsource / libbz2-1 / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:59:00", "description": "According to the version of the bzip2 packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - BZ2_decompress in decompress.c in bzip2 through 1.0.6\n has an out-of-bounds write when there are many\n selectors.(CVE-2019-12900)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-25T00:00:00", "title": "EulerOS 2.0 SP8 : bzip2 (EulerOS-SA-2019-1782)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-07-25T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bzip2-devel", "p-cpe:/a:huawei:euleros:bzip2-libs", "p-cpe:/a:huawei:euleros:bzip2", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1782.NASL", "href": "https://www.tenable.com/plugins/nessus/127019", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127019);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"EulerOS 2.0 SP8 : bzip2 (EulerOS-SA-2019-1782)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the bzip2 packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - BZ2_decompress in decompress.c in bzip2 through 1.0.6\n has an out-of-bounds write when there are many\n selectors.(CVE-2019-12900)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1782\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3ecf57ac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bzip2 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"bzip2-1.0.6-29.eulerosv2r8\",\n \"bzip2-devel-1.0.6-29.eulerosv2r8\",\n \"bzip2-libs-1.0.6-29.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:59:06", "description": "According to the version of the bzip2 packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - BZ2_decompress in decompress.c in bzip2 through 1.0.6\n has an out-of-bounds write when there are many\n selectors.(CVE-2019-12900)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-17T00:00:00", "title": "EulerOS 2.0 SP2 : bzip2 (EulerOS-SA-2019-1837)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-09-17T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bzip2-devel", "p-cpe:/a:huawei:euleros:bzip2-libs", "p-cpe:/a:huawei:euleros:bzip2", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1837.NASL", "href": "https://www.tenable.com/plugins/nessus/128889", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128889);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"EulerOS 2.0 SP2 : bzip2 (EulerOS-SA-2019-1837)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the bzip2 packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - BZ2_decompress in decompress.c in bzip2 through 1.0.6\n has an out-of-bounds write when there are many\n selectors.(CVE-2019-12900)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1837\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2d38f3f9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bzip2 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bzip2-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"bzip2-1.0.6-13.h3\",\n \"bzip2-devel-1.0.6-13.h3\",\n \"bzip2-libs-1.0.6-13.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-14T06:20:00", "description": "This update for bzip2 fixes the following issues :\n\nFixed a regression with the fix for CVE-2019-12900, which caused\nincompatibilities with files that used many selectors (bsc#1139083).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : bzip2 (SUSE-SU-2019:2013-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "modified": "2019-08-12T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libbz2", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:bzip2-debugsource", "p-cpe:/a:novell:suse_linux:libbz2-1-debuginfo", "p-cpe:/a:novell:suse_linux:bzip2-debuginfo", "p-cpe:/a:novell:suse_linux:libbz2-1", "p-cpe:/a:novell:suse_linux:bzip2"], "id": "SUSE_SU-2019-2013-1.NASL", "href": "https://www.tenable.com/plugins/nessus/127753", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2013-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127753);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2019-12900\");\n script_xref(name:\"IAVA\", value:\"2020-A-0482\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : bzip2 (SUSE-SU-2019:2013-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for bzip2 fixes the following issues :\n\nFixed a regression with the fix for CVE-2019-12900, which caused\nincompatibilities with files that used many selectors (bsc#1139083).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1139083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-12900/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192013-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?019ff865\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 8:zypper in -t patch\nSUSE-OpenStack-Cloud-Crowbar-8-2019-2013=1\n\nSUSE OpenStack Cloud 8:zypper in -t patch\nSUSE-OpenStack-Cloud-8-2019-2013=1\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2019-2013=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5:zypper in -t\npatch SUSE-SLE-SDK-12-SP5-2019-2013=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t\npatch SUSE-SLE-SDK-12-SP4-2019-2013=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3:zypper in -t patch\nSUSE-SLE-SAP-12-SP3-2019-2013=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2019-2013=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2019-2013=1\n\nSUSE Linux Enterprise Server 12-SP5:zypper in -t patch\nSUSE-SLE-SERVER-12-SP5-2019-2013=1\n\nSUSE Linux Enterprise Server 12-SP4:zypper in -t patch\nSUSE-SLE-SERVER-12-SP4-2019-2013=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2019-2013=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-BCL-2019-2013=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2019-2013=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2019-2013=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2019-2013=1\n\nSUSE Linux Enterprise Desktop 12-SP5:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP5-2019-2013=1\n\nSUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP4-2019-2013=1\n\nSUSE Enterprise Storage 5:zypper in -t patch\nSUSE-Storage-5-2019-2013=1\n\nSUSE Enterprise Storage 4:zypper in -t patch\nSUSE-Storage-4-2019-2013=1\n\nSUSE CaaS Platform 3.0 :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\n\nHPE Helion Openstack 8:zypper in -t patch\nHPE-Helion-OpenStack-8-2019-2013=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12900\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bzip2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bzip2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:bzip2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libbz2-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1|2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1/2/3/4/5\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"bzip2-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"bzip2-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"bzip2-debugsource-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libbz2-1-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libbz2-1-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libbz2-1-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libbz2-1-debuginfo-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"bzip2-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"bzip2-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"bzip2-debugsource-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libbz2-1-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libbz2-1-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libbz2-1-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libbz2-1-debuginfo-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"bzip2-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"bzip2-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"bzip2-debugsource-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libbz2-1-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libbz2-1-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libbz2-1-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libbz2-1-debuginfo-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"bzip2-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"bzip2-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"bzip2-debugsource-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libbz2-1-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libbz2-1-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libbz2-1-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libbz2-1-debuginfo-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"bzip2-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"bzip2-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"bzip2-debugsource-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libbz2-1-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libbz2-1-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libbz2-1-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libbz2-1-debuginfo-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"bzip2-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"bzip2-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"bzip2-debugsource-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libbz2-1-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libbz2-1-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libbz2-1-debuginfo-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"bzip2-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"bzip2-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"bzip2-debugsource-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libbz2-1-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libbz2-1-32bit-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libbz2-1-debuginfo-1.0.6-30.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libbz2-1-debuginfo-32bit-1.0.6-30.8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzip2\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-01-27T18:36:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192057", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192057", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-2057)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2057\");\n script_version(\"2020-01-23T12:32:41+0000\");\n script_cve_id(\"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:32:41 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:32:41 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-2057)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2057\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2057\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bzip2' package(s) announced via the EulerOS-SA-2019-2057 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.(CVE-2019-12900)\");\n\n script_tag(name:\"affected\", value:\"'bzip2' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2\", rpm:\"bzip2~1.0.6~13.h3\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-devel\", rpm:\"bzip2-devel~1.0.6~13.h3\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-libs\", rpm:\"bzip2-libs~1.0.6~13.h3\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T16:53:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-07-22T00:00:00", "id": "OPENVAS:1361412562310852628", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852628", "type": "openvas", "title": "openSUSE: Security Advisory for bzip2 (openSUSE-SU-2019:1781-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852628\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-07-22 02:01:21 +0000 (Mon, 22 Jul 2019)\");\n script_name(\"openSUSE: Security Advisory for bzip2 (openSUSE-SU-2019:1781-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1781-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bzip2'\n package(s) announced via the openSUSE-SU-2019:1781-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for bzip2 fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many\n selectors (bsc#1139083).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1781=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1781=1\");\n\n script_tag(name:\"affected\", value:\"'bzip2' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2\", rpm:\"bzip2~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-debuginfo\", rpm:\"bzip2-debuginfo~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-debugsource\", rpm:\"bzip2-debugsource~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-1\", rpm:\"libbz2-1~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-1-debuginfo\", rpm:\"libbz2-1-debuginfo~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-devel\", rpm:\"libbz2-devel~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-1-32bit\", rpm:\"libbz2-1-32bit~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-1-32bit-debuginfo\", rpm:\"libbz2-1-32bit-debuginfo~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-devel-32bit\", rpm:\"libbz2-devel-32bit~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"zip2-doc\", rpm:\"zip2-doc~1.0.6~lp150.4.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:37:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191782", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191782", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-1782)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1782\");\n script_version(\"2020-01-23T12:22:15+0000\");\n script_cve_id(\"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:22:15 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:22:15 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-1782)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP8\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1782\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1782\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bzip2' package(s) announced via the EulerOS-SA-2019-1782 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.(CVE-2019-12900)\");\n\n script_tag(name:\"affected\", value:\"'bzip2' package(s) on Huawei EulerOS V2.0SP8.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP8\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2\", rpm:\"bzip2~1.0.6~29.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-devel\", rpm:\"bzip2-devel~1.0.6~29.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-libs\", rpm:\"bzip2-libs~1.0.6~29.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:35:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191920", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191920", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-1920)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1920\");\n script_version(\"2020-01-23T12:26:51+0000\");\n script_cve_id(\"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:26:51 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:26:51 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-1920)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1920\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1920\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bzip2' package(s) announced via the EulerOS-SA-2019-1920 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.(CVE-2019-12900)\");\n\n script_tag(name:\"affected\", value:\"'bzip2' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2\", rpm:\"bzip2~1.0.6~14.h4\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-libs\", rpm:\"bzip2-libs~1.0.6~14.h4\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:36:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191837", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191837", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-1837)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1837\");\n script_version(\"2020-01-23T12:24:29+0000\");\n script_cve_id(\"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:24:29 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:24:29 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-1837)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1837\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1837\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bzip2' package(s) announced via the EulerOS-SA-2019-1837 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.(CVE-2019-12900)\");\n\n script_tag(name:\"affected\", value:\"'bzip2' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2\", rpm:\"bzip2~1.0.6~13.h3\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-devel\", rpm:\"bzip2-devel~1.0.6~13.h3\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-libs\", rpm:\"bzip2-libs~1.0.6~13.h3\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T16:51:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-08-16T00:00:00", "id": "OPENVAS:1361412562310852662", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852662", "type": "openvas", "title": "openSUSE: Security Advisory for bzip2 (openSUSE-SU-2019:1918-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852662\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-16 02:01:37 +0000 (Fri, 16 Aug 2019)\");\n script_name(\"openSUSE: Security Advisory for bzip2 (openSUSE-SU-2019:1918-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1918-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bzip2'\n package(s) announced via the openSUSE-SU-2019:1918-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for bzip2 fixes the following issues:\n\n - Fixed a regression with the fix for CVE-2019-12900, which caused\n incompatibilities with files that used many selectors (bsc#1139083).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1918=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1918=1\");\n\n script_tag(name:\"affected\", value:\"'bzip2' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2\", rpm:\"bzip2~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-debuginfo\", rpm:\"bzip2-debuginfo~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-debugsource\", rpm:\"bzip2-debugsource~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-1\", rpm:\"libbz2-1~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-1-debuginfo\", rpm:\"libbz2-1-debuginfo~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-devel\", rpm:\"libbz2-devel~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-1-32bit\", rpm:\"libbz2-1-32bit~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-1-32bit-debuginfo\", rpm:\"libbz2-1-32bit-debuginfo~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libbz2-devel-32bit\", rpm:\"libbz2-devel-32bit~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"zip2-doc\", rpm:\"zip2-doc~1.0.6~lp150.4.9.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:37:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191757", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191757", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-1757)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1757\");\n script_version(\"2020-01-23T12:21:45+0000\");\n script_cve_id(\"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:21:45 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:21:45 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for bzip2 (EulerOS-SA-2019-1757)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1757\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1757\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'bzip2' package(s) announced via the EulerOS-SA-2019-1757 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.(CVE-2019-12900)\");\n\n script_tag(name:\"affected\", value:\"'bzip2' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2\", rpm:\"bzip2~1.0.6~14.h3.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-devel\", rpm:\"bzip2-devel~1.0.6~14.h3.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bzip2-libs\", rpm:\"bzip2-libs~1.0.6~14.h3.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:26:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900", "CVE-2019-12625"], "description": "The remote host is missing an update for the ", "modified": "2020-01-29T00:00:00", "published": "2019-10-11T00:00:00", "id": "OPENVAS:1361412562310891953", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891953", "type": "openvas", "title": "Debian LTS: Security Advisory for clamav (DLA-1953-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891953\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-12625\", \"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-10-11 02:00:08 +0000 (Fri, 11 Oct 2019)\");\n script_name(\"Debian LTS: Security Advisory for clamav (DLA-1953-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1953-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/34359\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'clamav'\n package(s) announced via the DLA-1953-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that clamav, the open source antivirus engine, is affected by\nthe following security vulnerabilities:\n\nCVE-2019-12625\n\nDenial of Service (DoS) vulnerability, resulting from excessively long scan\ntimes caused by non-recursive zip bombs. Among others, this issue was\nmitigated by introducing a scan time limit.\n\nCVE-2019-12900\n\nOut-of-bounds write in ClamAV's NSIS bzip2 library when attempting\ndecompression in cases where the number of selectors exceeded the max limit\nset by the library.\n\nThis update triggers a transition from libclamav7 to libclama9. As a result,\nseveral other packages will be recompiled against the fixed package after the\nrelease of this update: dansguardian, havp, python-pyclamav, c-icap-modules.\");\n\n script_tag(name:\"affected\", value:\"'clamav' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n0.101.4+dfsg-0+deb8u1.\n\nWe recommend that you upgrade your clamav packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"clamav\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"clamav-base\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"clamav-daemon\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"clamav-dbg\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"clamav-docs\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"clamav-freshclam\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"clamav-milter\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"clamav-testfiles\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"clamdscan\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libclamav-dev\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libclamav7\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libclamav9\", ver:\"0.101.4+dfsg-0+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:29:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900", "CVE-2016-3189"], "description": "The remote host is missing an update for the ", "modified": "2020-01-29T00:00:00", "published": "2019-06-25T00:00:00", "id": "OPENVAS:1361412562310891833", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891833", "type": "openvas", "title": "Debian LTS: Security Advisory for bzip2 (DLA-1833-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891833\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-3189\", \"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-06-25 02:00:11 +0000 (Tue, 25 Jun 2019)\");\n script_name(\"Debian LTS: Security Advisory for bzip2 (DLA-1833-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1833-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bzip2'\n package(s) announced via the DLA-1833-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Two issues in bzip2, a high-quality block-sorting file compressor, have\nbeen fixed. One, CVE-2019-12900, is a out-of-bounds write when using a\ncrafted compressed file. The other, CVE-2016-3189, is a potential\nuser-after-free.\");\n\n script_tag(name:\"affected\", value:\"'bzip2' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n1.0.6-7+deb8u1.\n\nWe recommend that you upgrade your bzip2 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"bzip2\", ver:\"1.0.6-7+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"bzip2-doc\", ver:\"1.0.6-7+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libbz2-1.0\", ver:\"1.0.6-7+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libbz2-dev\", ver:\"1.0.6-7+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-27T14:43:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12900", "CVE-2016-3189"], "description": "The remote host is missing an update for the ", "modified": "2019-06-27T00:00:00", "published": "2019-06-27T00:00:00", "id": "OPENVAS:1361412562310844073", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844073", "type": "openvas", "title": "Ubuntu Update for bzip2 USN-4038-1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844073\");\n script_version(\"2019-06-27T06:30:18+0000\");\n script_cve_id(\"CVE-2016-3189\", \"CVE-2019-12900\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-06-27 06:30:18 +0000 (Thu, 27 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-27 02:00:40 +0000 (Thu, 27 Jun 2019)\");\n script_name(\"Ubuntu Update for bzip2 USN-4038-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.10|UBUNTU19\\.04|UBUNTU18\\.04 LTS|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4038-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-June/004983.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bzip2'\n package(s) announced via the USN-4038-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Aladdin Mubaied discovered that bzip2 incorrectly handled certain files.\nAn attacker could possibly use this issue to cause a denial of service.\nThis issue only affected Ubuntu 16.04 LTS. (CVE-2016-3189)\n\nIt was discovered that bzip2 incorrectly handled certain files.\nAn attacker could possibly use this issue to execute arbitrary code.\n(CVE-2019-12900)\");\n\n script_tag(name:\"affected\", value:\"'bzip2' package(s) on Ubuntu 19.04, Ubuntu 18.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"bzip2\", ver:\"1.0.6-9ubuntu0.18.10\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libbz2-1.0\", ver:\"1.0.6-9ubuntu0.18.10\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.04\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"bzip2\", ver:\"1.0.6-9ubuntu0.19.04\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libbz2-1.0\", ver:\"1.0.6-9ubuntu0.19.04\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"bzip2\", ver:\"1.0.6-8.1ubuntu0.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libbz2-1.0\", ver:\"1.0.6-8.1ubuntu0.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"bzip2\", ver:\"1.0.6-8ubuntu0.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libbz2-1.0\", ver:\"1.0.6-8ubuntu0.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:37:47", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2016-3189"], "description": "USN-4038-1 fixed several vulnerabilities in bzip2. This update provides \nthe corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.\n\nOriginal advisory details:\n\nAladdin Mubaied discovered that bzip2 incorrectly handled certain files. \nAn attacker could possibly use this issue to cause a denial of service. \n(CVE-2016-3189)\n\nIt was discovered that bzip2 incorrectly handled certain files. \nAn attacker could possibly use this issue to execute arbitrary code. \n(CVE-2019-12900)", "edition": 2, "modified": "2019-06-26T00:00:00", "published": "2019-06-26T00:00:00", "id": "USN-4038-2", "href": "https://ubuntu.com/security/notices/USN-4038-2", "title": "bzip2 vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:40:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2016-3189"], "description": "Aladdin Mubaied discovered that bzip2 incorrectly handled certain files. \nAn attacker could possibly use this issue to cause a denial of service. \nThis issue only affected Ubuntu 16.04 LTS. (CVE-2016-3189)\n\nIt was discovered that bzip2 incorrectly handled certain files. \nAn attacker could possibly use this issue to execute arbitrary code. \n(CVE-2019-12900)", "edition": 2, "modified": "2019-06-26T00:00:00", "published": "2019-06-26T00:00:00", "id": "USN-4038-1", "href": "https://ubuntu.com/security/notices/USN-4038-1", "title": "bzip2 vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:37:01", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2019-12625"], "description": "It was discovered that ClamAV incorrectly handled unpacking ZIP files. A \nremote attacker could possibly use this issue to cause ClamAV to crash, \nresulting in a denial of service. (CVE-2019-12625)\n\nIt was discovered that ClamAV incorrectly handled unpacking bzip2 files. A \nremote attacker could use this issue to cause ClamAV to crash, resulting in \na denial of service, or possibly execute arbitrary code. (CVE-2019-12900)", "edition": 2, "modified": "2019-10-02T00:00:00", "published": "2019-10-02T00:00:00", "id": "USN-4146-1", "href": "https://ubuntu.com/security/notices/USN-4146-1", "title": "ClamAV vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:43:54", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2019-12625"], "description": "USN-4146-1 fixed several vulnerabilities in ClamAV. This update provides \nthe corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.\n\nOriginal advisory details:\n\nIt was discovered that ClamAV incorrectly handled unpacking ZIP files. A \nremote attacker could possibly use this issue to cause ClamAV to crash, \nresulting in a denial of service. (CVE-2019-12625)\n\nIt was discovered that ClamAV incorrectly handled unpacking bzip2 files. A \nremote attacker could use this issue to cause ClamAV to crash, resulting in \na denial of service, or possibly execute arbitrary code. (CVE-2019-12900)", "edition": 2, "modified": "2019-10-03T00:00:00", "published": "2019-10-03T00:00:00", "id": "USN-4146-2", "href": "https://ubuntu.com/security/notices/USN-4146-2", "title": "ClamAV vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-07-02T10:41:48", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2016-3189"], "description": "\nbzip2 developers reports:\n\nCVE-2016-3189 - Fix use-after-free in bzip2recover (Jakub Martisko)\nCVE-2019-12900 - Detect out-of-range nSelectors in corrupted files (Albert Astals Cid). Found through fuzzing karchive.\n\n", "edition": 1, "modified": "2019-06-23T00:00:00", "published": "2019-06-23T00:00:00", "id": "4B6CB45D-881E-447A-A4E0-C97A954EA758", "href": "https://vuxml.freebsd.org/freebsd/4b6cb45d-881e-447a-a4e0-c97a954ea758.html", "title": "bzip2 -- multiple issues", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-23T09:39:36", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12900", "CVE-2019-12625"], "description": "\nMicah Snyder reports:\n\n\nAn out of bounds write was possible within ClamAV&s NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.\n The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625.\n\n\n", "edition": 1, "modified": "2019-08-21T00:00:00", "published": "2019-08-21T00:00:00", "id": "DBD1F627-C43B-11E9-A923-9C5C8E75236A", "href": "https://vuxml.freebsd.org/freebsd/dbd1f627-c43b-11e9-a923-9c5c8e75236a.html", "title": "clamav -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:07", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3189", "CVE-2019-12900"], "description": "New bzip2 packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/bzip2-1.0.8-i586-1_slack14.2.txz: Upgraded.\n Fixes security issues:\n bzip2recover: Fix use after free issue with outFile.\n Make sure nSelectors is not out of range.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bzip2-1.0.8-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bzip2-1.0.8-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bzip2-1.0.8-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bzip2-1.0.8-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/bzip2-1.0.8-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/bzip2-1.0.8-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bzip2-1.0.8-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bzip2-1.0.8-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n8a94c11d7ef85966c8cf4eddb169b6b9 bzip2-1.0.8-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n86e7066ee23ccbc43912f8fdf242d7f4 bzip2-1.0.8-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n157e83b4270d4520fd1640f3e4a793e9 bzip2-1.0.8-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n2a0494c27ffa73deaf9cfe616edbbdbc bzip2-1.0.8-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n49b34a9ebf71d346b1f99c2524d046bc bzip2-1.0.8-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n5c6ba8d29eb16000f072a8e364836921 bzip2-1.0.8-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n50e813124cd298552694171a9ca535ef a/bzip2-1.0.8-i586-1.txz\n\nSlackware x86_64 -current package:\nc6f4170f1b14065b4fb2594d8ad73e71 a/bzip2-1.0.8-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bzip2-1.0.8-i586-1_slack14.2.txz", "modified": "2019-07-15T00:49:37", "published": "2019-07-15T00:49:37", "id": "SSA-2019-195-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.423144", "type": "slackware", "title": "[slackware-security] bzip2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12625", "CVE-2019-12900"], "description": "Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is KEPT UP TO DATE. ", "modified": "2019-09-01T07:04:35", "published": "2019-09-01T07:04:35", "id": "FEDORA:1622360151B7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: clamav-0.101.4-1.fc29", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12625", "CVE-2019-12900"], "description": "Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is KEPT UP TO DATE. ", "modified": "2019-08-26T00:53:33", "published": "2019-08-26T00:53:33", "id": "FEDORA:4FD25605CB4A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: clamav-0.101.4-1.fc30", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-11-15T07:30:49", "bulletinFamily": "software", "cvelist": ["CVE-2019-12900", "CVE-2016-3189"], "description": "# \n\n## Severity\n\nMedium\n\n## Vendor\n\nCanonical Ubuntu\n\n## Versions Affected\n\n * Canonical Ubuntu 16.04\n * Canonical Ubuntu 18.04\n\n## Description\n\nAladdin Mubaied discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3189)\n\nIt was discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-12900)\n\nCVEs contained in this USN include: CVE-2016-3189, CVE-2019-12900\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including: \n * 315.x versions prior to 315.64\n * 250.x versions prior to 250.79\n * 170.x versions prior to 170.107\n * 97.x versions prior to 97.132\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs3 prior to 0.107.0\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells: \n * Upgrade 315.x versions to 315.64\n * Upgrade 250.x versions to 250.79\n * Upgrade 170.x versions to 170.107\n * Upgrade 97.x versions to 97.132\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.107.0 or later.\n\n## References\n\n * [USN-4038-1](<https://usn.ubuntu.com/4038-1>)\n * [CVE-2016-3189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189>)\n * [CVE-2019-12900](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12900>)\n", "edition": 1, "modified": "2019-11-14T00:00:00", "published": "2019-11-14T00:00:00", "id": "CFOUNDRY:35BFCB7A171647D2DB69FB87A494A3FC", "href": "https://www.cloudfoundry.org/blog/usn-4038-1/", "title": "USN-4038-1: bzip2 vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-30T04:36:53", "bulletinFamily": "software", "cvelist": ["CVE-2019-12900", "CVE-2016-3189"], "description": "# \n\n## Severity\n\nMedium\n\n## Vendor\n\nCanonical Ubuntu\n\n## Versions Affected\n\n * Canonical Ubuntu 14.04\n\n## Description\n\nUSN-4038-1 fixed a vulnerability in bzip2. The update introduced a regression causing bzip2 to incorrect raises CRC errors for some files. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nIt was discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.\n\nCVEs contained in this USN include: CVE-2016-3189, CVE-2019-12900\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3586.x versions prior to 3586.144\n * 3541.x versions prior to 3541.138\n * 3468.x versions prior to 3468.145\n * All other stemcells not listed.\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3586.x versions to 3586.144\n * Upgrade 3541.x versions to 3541.138\n * Upgrade 3468.x versions to 3468.145\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n\n## References\n\n * [USN-4038-4](<https://usn.ubuntu.com/4038-4>)\n * [CVE-2016-3189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189>)\n * [CVE-2019-12900](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12900>)\n", "edition": 1, "modified": "2019-08-29T00:00:00", "published": "2019-08-29T00:00:00", "id": "CFOUNDRY:8D2E715ABF4E942D38CD92E026D73DA9", "href": "https://www.cloudfoundry.org/blog/usn-4038-4/", "title": "USN-4038-4: bzip2 regression | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-30T04:36:48", "bulletinFamily": "software", "cvelist": ["CVE-2019-12900", "CVE-2016-3189"], "description": "# \n\n## Severity\n\nMedium\n\n## Vendor\n\nCanonical Ubuntu\n\n## Versions Affected\n\n * Canonical Ubuntu 16.04\n * Canonical Ubuntu 18.04\n\n## Description\n\nUSN-4038-1 fixed a vulnerability in bzip2. The update introduced a regression causing bzip2 to incorrect raises CRC errors for some files.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nIt was discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.\n\nCVEs contained in this USN include: CVE-2016-3189, CVE-2019-12900\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including: \n * 315.x versions prior to 315.70\n * 250.x versions prior to 250.82\n * 170.x versions prior to 170.109\n * 97.x versions prior to 97.134\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs3 prior to 0.111.0\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells: \n * Upgrade 315.x versions to 315.70\n * Upgrade 250.x versions to 250.82\n * Upgrade 170.x versions to 170.109\n * Upgrade 97.x versions to 97.134\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.111.0 or later.\n\n## References\n\n * [USN-4038-3](<https://usn.ubuntu.com/4038-3>)\n * [CVE-2016-3189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189>)\n * [CVE-2019-12900](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12900>)\n", "edition": 1, "modified": "2019-08-29T00:00:00", "published": "2019-08-29T00:00:00", "id": "CFOUNDRY:EDF01D8490471510F59758370F85EB1F", "href": "https://www.cloudfoundry.org/blog/usn-4038-3/", "title": "USN-4038-3: bzip2 regression | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oracle": [{"lastseen": "2020-12-24T15:41:14", "bulletinFamily": "software", "cvelist": ["CVE-2013-7285", "CVE-2015-1832", "CVE-2015-9251", "CVE-2016-0701", "CVE-2016-1000031", "CVE-2016-1000338", "CVE-2016-1000339", "CVE-2016-1000340", "CVE-2016-1000341", "CVE-2016-1000342", "CVE-2016-1000343", "CVE-2016-1000344", "CVE-2016-1000345", "CVE-2016-1000346", "CVE-2016-1000352", "CVE-2016-10244", "CVE-2016-10328", "CVE-2016-2167", "CVE-2016-2168", "CVE-2016-2183", "CVE-2016-2510", "CVE-2016-3189", "CVE-2016-4800", "CVE-2016-5000", "CVE-2016-5300", "CVE-2016-5725", "CVE-2016-6153", "CVE-2016-6306", "CVE-2016-8610", "CVE-2016-8734", "CVE-2017-10989", "CVE-2017-12626", "CVE-2017-13098", "CVE-2017-13685", "CVE-2017-13745", "CVE-2017-14232", "CVE-2017-15095", "CVE-2017-15286", "CVE-2017-17485", "CVE-2017-3164", "CVE-2017-5644", "CVE-2017-5645", "CVE-2017-5662", "CVE-2017-7525", "CVE-2017-7656", "CVE-2017-7657", "CVE-2017-7658", "CVE-2017-7857", "CVE-2017-7858", "CVE-2017-7864", "CVE-2017-8105", "CVE-2017-8287", "CVE-2017-9096", "CVE-2017-9735", "CVE-2017-9800", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000873", "CVE-2018-11054", "CVE-2018-11055", "CVE-2018-11056", "CVE-2018-11057", "CVE-2018-11058", "CVE-2018-11307", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-12536", "CVE-2018-12538", "CVE-2018-12545", "CVE-2018-14718", "CVE-2018-15769", "CVE-2018-17196", "CVE-2018-18873", "CVE-2018-19139", "CVE-2018-19539", "CVE-2018-19540", "CVE-2018-19541", "CVE-2018-19542", "CVE-2018-19543", "CVE-2018-20346", "CVE-2018-20505", "CVE-2018-20506", "CVE-2018-20570", "CVE-2018-20584", "CVE-2018-20622", "CVE-2018-20843", "CVE-2018-2765", "CVE-2018-3693", "CVE-2018-5382", "CVE-2018-5968", "CVE-2018-6942", "CVE-2018-7489", "CVE-2018-8013", "CVE-2018-8088", "CVE-2018-8740", "CVE-2018-9055", "CVE-2018-9154", "CVE-2018-9252", "CVE-2019-0192", "CVE-2019-0201", "CVE-2019-10072", "CVE-2019-10097", "CVE-2019-1010239", "CVE-2019-10173", "CVE-2019-10241", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-10744", "CVE-2019-11048", "CVE-2019-11358", "CVE-2019-11477", "CVE-2019-11478", "CVE-2019-11479", "CVE-2019-11834", "CVE-2019-11835", "CVE-2019-11922", "CVE-2019-12086", "CVE-2019-12260", "CVE-2019-12261", "CVE-2019-12384", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12419", "CVE-2019-12423", "CVE-2019-12814", "CVE-2019-12900", "CVE-2019-13990", "CVE-2019-14379", "CVE-2019-14540", "CVE-2019-14893", "CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1552", "CVE-2019-1563", "CVE-2019-15903", "CVE-2019-16168", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17091", "CVE-2019-17267", "CVE-2019-17359", "CVE-2019-17495", "CVE-2019-17531", "CVE-2019-17543", "CVE-2019-17558", "CVE-2019-17569", "CVE-2019-17632", "CVE-2019-17638", "CVE-2019-18348", "CVE-2019-20330", "CVE-2019-2897", "CVE-2019-2904", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5018", "CVE-2019-5427", "CVE-2019-5435", "CVE-2019-5436", "CVE-2019-5443", "CVE-2019-5481", "CVE-2019-5482", "CVE-2019-8457", "CVE-2019-9511", "CVE-2019-9513", "CVE-2019-9936", "CVE-2019-9937", "CVE-2020-10108", "CVE-2020-10543", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10722", "CVE-2020-10723", "CVE-2020-10724", "CVE-2020-10878", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-11984", "CVE-2020-11993", "CVE-2020-11996", "CVE-2020-12243", "CVE-2020-12723", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-13920", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-14672", "CVE-2020-14731", "CVE-2020-14732", "CVE-2020-14734", "CVE-2020-14735", "CVE-2020-14736", "CVE-2020-14740", "CVE-2020-14741", "CVE-2020-14742", "CVE-2020-14743", "CVE-2020-14744", "CVE-2020-14745", "CVE-2020-14746", "CVE-2020-14752", "CVE-2020-14753", "CVE-2020-14754", "CVE-2020-14757", "CVE-2020-14758", "CVE-2020-14759", "CVE-2020-14760", "CVE-2020-14761", "CVE-2020-14762", "CVE-2020-14763", "CVE-2020-14764", "CVE-2020-14765", "CVE-2020-14766", "CVE-2020-14767", "CVE-2020-14768", "CVE-2020-14769", "CVE-2020-14770", "CVE-2020-14771", "CVE-2020-14772", "CVE-2020-14773", "CVE-2020-14774", "CVE-2020-14775", "CVE-2020-14776", "CVE-2020-14777", "CVE-2020-14778", "CVE-2020-14779", "CVE-2020-14780", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14783", "CVE-2020-14784", "CVE-2020-14785", "CVE-2020-14786", "CVE-2020-14787", "CVE-2020-14788", "CVE-2020-14789", "CVE-2020-14790", "CVE-2020-14791", "CVE-2020-14792", "CVE-2020-14793", "CVE-2020-14794", "CVE-2020-14795", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-14798", "CVE-2020-14799", "CVE-2020-14800", "CVE-2020-14801", "CVE-2020-14802", "CVE-2020-14803", "CVE-2020-14804", "CVE-2020-14805", "CVE-2020-14806", "CVE-2020-14807", "CVE-2020-14808", "CVE-2020-14809", "CVE-2020-14810", "CVE-2020-14811", "CVE-2020-14812", "CVE-2020-14813", "CVE-2020-14814", "CVE-2020-14815", "CVE-2020-14816", "CVE-2020-14817", "CVE-2020-14818", "CVE-2020-14819", "CVE-2020-14820", "CVE-2020-14821", "CVE-2020-14822", "CVE-2020-14823", "CVE-2020-14824", "CVE-2020-14825", "CVE-2020-14826", "CVE-2020-14827", "CVE-2020-14828", "CVE-2020-14829", "CVE-2020-14830", "CVE-2020-14831", "CVE-2020-14832", "CVE-2020-14833", "CVE-2020-14834", "CVE-2020-14835", "CVE-2020-14836", "CVE-2020-14837", "CVE-2020-14838", "CVE-2020-14839", "CVE-2020-14840", "CVE-2020-14841", "CVE-2020-14842", "CVE-2020-14843", "CVE-2020-14844", "CVE-2020-14845", "CVE-2020-14846", "CVE-2020-14847", "CVE-2020-14848", "CVE-2020-14849", "CVE-2020-14850", "CVE-2020-14851", "CVE-2020-14852", "CVE-2020-14853", "CVE-2020-14854", "CVE-2020-14855", "CVE-2020-14856", "CVE-2020-14857", "CVE-2020-14858", "CVE-2020-14859", "CVE-2020-14860", "CVE-2020-14861", "CVE-2020-14862", "CVE-2020-14863", "CVE-2020-14864", "CVE-2020-14865", "CVE-2020-14866", "CVE-2020-14867", "CVE-2020-14868", "CVE-2020-14869", "CVE-2020-14870", "CVE-2020-14871", "CVE-2020-14872", "CVE-2020-14873", "CVE-2020-14875", "CVE-2020-14876", "CVE-2020-14877", "CVE-2020-14878", "CVE-2020-14879", "CVE-2020-14880", "CVE-2020-14881", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-14884", "CVE-2020-14885", "CVE-2020-14886", "CVE-2020-14887", "CVE-2020-14888", "CVE-2020-14889", "CVE-2020-14890", "CVE-2020-14891", "CVE-2020-14892", "CVE-2020-14893", "CVE-2020-14894", "CVE-2020-14895", "CVE-2020-14896", "CVE-2020-14897", "CVE-2020-14898", "CVE-2020-14899", "CVE-2020-14900", "CVE-2020-14901", "CVE-2020-15358", "CVE-2020-15389", "CVE-2020-1730", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1950", "CVE-2020-1951", "CVE-2020-1953", "CVE-2020-1954", "CVE-2020-1967", "CVE-2020-2555", "CVE-2020-3235", "CVE-2020-3909", "CVE-2020-4051", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-7067", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8840", "CVE-2020-9281", "CVE-2020-9327", "CVE-2020-9409", "CVE-2020-9410", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9489", "CVE-2020-9490", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n \nStarting with the October 2020 Critical Patch Update, Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix. Oracle has published two versions of the October 2020 Critical Patch Update Advisory: this version of the advisory implemented the change in how non-exploitable vulnerabilities in third-party components are reported, and the \u201ctraditional\u201d advisory follows the same format as the previous advisories. The \u201ctraditional\u201d advisory is published at <https://www.oracle.com/security-alerts/cpuoct2020traditional.html>. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 403 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2020 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2712240.1>).\n", "modified": "2020-12-08T00:00:00", "published": "2020-10-20T00:00:00", "id": "ORACLE:CPUOCT2020", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - October 2020", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
