Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0200 Security update for open-iscsi 18 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: open-iscsi Publisher: SUSE Operating System: SUSE Impact/Access: Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20210127-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for open-iscsi ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0127-1 Rating: important References: #1179440 #1179908 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for open-iscsi fixes the following issues: o Updated to upstream version 2.1.3 as 2.1.3-suse, for bsc#1179908, including: * uip: check for TCP urgent pointer past end of frame * uip: check for u8 overflow when processing TCP options * uip: check for header length underflow during checksum calculation * fwparam_ppc: Fix memory leak in fwparam_ppc.c * iscsiuio: Remove unused macro IFNAMSIZ defined in iscsid_ipc.c * fwparam_ppc: Fix illegal memory access in fwparam_ppc.c * sysfs: Verify parameter of sysfs_device_get() * fwparam_ppc: Fix NULL pointer dereference in find_devtree() * open-iscsi: Clean user_param list when process exit * iscsi_net_util: Fix NULL pointer dereference in find_vlan_dev() * open-iscsi: Fix NULL pointer dereference in mgmt_ipc_read_req() * open-iscsi: Fix invalid pointer deference in find_initiator() * iscsiuio: Fix invalid parameter when call fstat() * iscsi-iname: Verify open() return value before calling read() * iscsi_sysfs: Fix NULL pointer deference in iscsi_sysfs_read_iface o Updatged to latest upstream, including: * iscsiadm: Optimize the the verification of mode paramters * iscsid: Poll timeout value to 1 minute for iscsid * iscsiadm: fix host stats mode coredump * iscsid: fix logging level when starting and shutting down daemon * Updated iscsiadm man page. * Fix memory leak in sysfs_get_str * libopeniscsiusr: Compare with max int instead of max long o Systemd unit files should not depend on network.target (bsc#1179440). o Updated to latest upstream, including async login ability: * Implement login "no_wait" for iscsiadm NODE mode * iscsiadm buffer overflow regression when discovering many targets at once * iscsid: Check Invalid Session id for stop connection * Add ability to attempt target logins asynchronously o %service_del_postun_without_restart is now available on SLE More accurately it's been introduced in SLE12-SP2+ and SLE15+ Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-127=1 Package List: o SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): iscsiuio-0.7.8.6-22.6.1 iscsiuio-debuginfo-0.7.8.6-22.6.1 libopeniscsiusr0_2_0-2.1.3-22.6.1 libopeniscsiusr0_2_0-debuginfo-2.1.3-22.6.1 open-iscsi-2.1.3-22.6.1 open-iscsi-debuginfo-2.1.3-22.6.1 open-iscsi-debugsource-2.1.3-22.6.1 open-iscsi-devel-2.1.3-22.6.1 References: o https://bugzilla.suse.com/1179440 o https://bugzilla.suse.com/1179908 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYATVkONLKJtyKPYoAQgPqQ//Qrz+7RqIp0kyeqK9QYsD6LW5Mx1npW8R wiE7RZUdRnwrJ06ANlHGpvnyncrggr4WnMbCs4lRhQ3dlH6+ijeluplAbB7Nziyu HWJ+NSAI4E4q40LBT3dTUDFT0lFX1AW8HctxUgq+vtBXhIiUL4OnPPGB0Z3FOUjC BK6Wwc7sZZ8Uonl2ek8KQeRMzcXaDgDaWJ1uh/3YJwA3uWDEo4VkescDG97+VR0r 1uMyj3+kRwilgHvZSBA8bTc9abOdK2AlOfczWtAzqft/8PzCiSKX5EfNrOgjhJRI dM1BUxPzUnBLfZnCzuaBNLiIPFOEOQQHfQegDHvVeUPzcsQ2n8RTFJ1izbDHIoYj C1DpDI30AgkfRlwCzWDYK5uwwB3YNih0e6fs1VE8l+1zfgfxFdKu7XgU7mW5DT0O FiaPuAsYaX+LeN6bqIEP3IpwSzLlx0Lb3/M4NMqxgqD+ziiM2C9vwlhf5UOfgPUv M1Qe41giKOxiov17tv7+cZjwWeHBZU2k4Cz+0bjqXuTYQ89DkMjaYiyMamIw2PWL hg9Ig9hHx01h0grNYXsh/Dv4uZ+JzudiuNgy9in9t7O5CXCPvTBLGu3aac7JCW6U 2AOIOZ5F2aw5+weISpzAlWjuTS4oUvP44C9o9VJXi5gMQCm4LXP15VRqMZkdvfEV atc6WZRcKvw= =DJwW -----END PGP SIGNATURE-----