Lucene search

K
suseSuseOPENSUSE-SU-2021:1840-1
HistoryJul 11, 2021 - 12:00 a.m.

Security update for xstream (important)

2021-07-1100:00:00
lists.opensuse.org
12

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

An update that fixes 11 vulnerabilities is now available.

Description:

This update for xstream fixes the following issues:

  • Upgrade to 1.4.16
  • CVE-2021-21351: remote attacker to load and execute arbitrary code
    (bsc#1184796)
  • CVE-2021-21349: SSRF can lead to a remote attacker to request data from
    internal resources (bsc#1184797)
  • CVE-2021-21350: arbitrary code execution (bsc#1184380)
  • CVE-2021-21348: remote attacker could cause denial of service by
    consuming maximum CPU time (bsc#1184374)
  • CVE-2021-21347: remote attacker to load and execute arbitrary code from
    a remote host (bsc#1184378)
  • CVE-2021-21344: remote attacker could load and execute arbitrary code
    from a remote host (bsc#1184375)
  • CVE-2021-21342: server-side forgery (bsc#1184379)
  • CVE-2021-21341: remote attacker could cause a denial of service by
    allocating 100% CPU time (bsc#1184377)
  • CVE-2021-21346: remote attacker could load and execute arbitrary code
    (bsc#1184373)
  • CVE-2021-21345: remote attacker with sufficient rights could execute
    commands (bsc#1184372)
  • CVE-2021-21343: replace or inject objects, that result in the deletion
    of files on the local host (bsc#1184376)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.3:

    zypper in -t patch openSUSE-SLE-15.3-2021-1840=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap15.3noarch< - openSUSE Leap 15.3 (noarch):- openSUSE Leap 15.3 (noarch):.noarch.rpm

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

Related for OPENSUSE-SU-2021:1840-1