SuseOPENSUSE-SU-2021:1279-1Security update for haserl (moderate)
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
An update that fixes one vulnerability is now available.
Description:
This update for haserl fixes the following issues:
Update to version 0.9.36:
- Fixed: Its possible to issue a PUT request without a CONTENT-TYPE.
Assume an octet-stream in that case. This is CVE-2021-29133 and
boo#1187671 - Change the Prefix for variables to be the REQUEST_METHOD
(PUT/DELETE/GET/POST) THIS IS A BREAKING CHANGE - Mitigations vs running haserl to get access to files not available to
the user.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1279=1
-
openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2021-1279=1
-
openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2021-1279=1
-
openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2021-1279=1
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N