Operating System:

[SUSE]

Published:

18 January 2021

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2021.0200 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0200
                      Security update for open-iscsi
                              18 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           open-iscsi
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Reduced Security -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2021/suse-su-20210127-1

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for open-iscsi

______________________________________________________________________________

Announcement ID:   SUSE-SU-2021:0127-1
Rating:            important
References:        #1179440 #1179908
Affected Products:
                   SUSE Linux Enterprise Module for Basesystem 15-SP2
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for open-iscsi fixes the following issues:

  o Updated to upstream version 2.1.3 as 2.1.3-suse, for bsc#1179908,
    including:
    * uip: check for TCP urgent pointer past end of frame * uip: check for u8
    overflow when processing TCP options * uip: check for header length
    underflow during checksum calculation * fwparam_ppc: Fix memory leak in
    fwparam_ppc.c * iscsiuio: Remove unused macro IFNAMSIZ defined in
    iscsid_ipc.c * fwparam_ppc: Fix illegal memory access in fwparam_ppc.c *
    sysfs: Verify parameter of sysfs_device_get() * fwparam_ppc: Fix NULL
    pointer dereference in find_devtree() * open-iscsi: Clean user_param list
    when process exit * iscsi_net_util: Fix NULL pointer dereference in
    find_vlan_dev() * open-iscsi: Fix NULL pointer dereference in
    mgmt_ipc_read_req() * open-iscsi: Fix invalid pointer deference in
    find_initiator() * iscsiuio: Fix invalid parameter when call fstat() *
    iscsi-iname: Verify open() return value before calling read() *
    iscsi_sysfs: Fix NULL pointer deference in iscsi_sysfs_read_iface


  o Updatged to latest upstream, including: * iscsiadm: Optimize the the
    verification of mode paramters * iscsid: Poll timeout value to 1 minute for
    iscsid * iscsiadm: fix host stats mode coredump * iscsid: fix logging level
    when starting and shutting down daemon * Updated iscsiadm man page. * Fix
    memory leak in sysfs_get_str * libopeniscsiusr: Compare with max int
    instead of max long


  o Systemd unit files should not depend on network.target (bsc#1179440).


  o Updated to latest upstream, including async login ability: * Implement
    login "no_wait" for iscsiadm NODE mode * iscsiadm buffer overflow
    regression when discovering many targets at once * iscsid: Check Invalid
    Session id for stop connection * Add ability to attempt target logins
    asynchronously


  o %service_del_postun_without_restart is now available on SLE More accurately
    it's been introduced in SLE12-SP2+ and SLE15+

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for Basesystem 15-SP2:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-127=1

Package List:

  o SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x
    x86_64):
       iscsiuio-0.7.8.6-22.6.1
       iscsiuio-debuginfo-0.7.8.6-22.6.1
       libopeniscsiusr0_2_0-2.1.3-22.6.1
       libopeniscsiusr0_2_0-debuginfo-2.1.3-22.6.1
       open-iscsi-2.1.3-22.6.1
       open-iscsi-debuginfo-2.1.3-22.6.1
       open-iscsi-debugsource-2.1.3-22.6.1
       open-iscsi-devel-2.1.3-22.6.1


References:

  o https://bugzilla.suse.com/1179440
  o https://bugzilla.suse.com/1179908

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYATVkONLKJtyKPYoAQgPqQ//Qrz+7RqIp0kyeqK9QYsD6LW5Mx1npW8R
wiE7RZUdRnwrJ06ANlHGpvnyncrggr4WnMbCs4lRhQ3dlH6+ijeluplAbB7Nziyu
HWJ+NSAI4E4q40LBT3dTUDFT0lFX1AW8HctxUgq+vtBXhIiUL4OnPPGB0Z3FOUjC
BK6Wwc7sZZ8Uonl2ek8KQeRMzcXaDgDaWJ1uh/3YJwA3uWDEo4VkescDG97+VR0r
1uMyj3+kRwilgHvZSBA8bTc9abOdK2AlOfczWtAzqft/8PzCiSKX5EfNrOgjhJRI
dM1BUxPzUnBLfZnCzuaBNLiIPFOEOQQHfQegDHvVeUPzcsQ2n8RTFJ1izbDHIoYj
C1DpDI30AgkfRlwCzWDYK5uwwB3YNih0e6fs1VE8l+1zfgfxFdKu7XgU7mW5DT0O
FiaPuAsYaX+LeN6bqIEP3IpwSzLlx0Lb3/M4NMqxgqD+ziiM2C9vwlhf5UOfgPUv
M1Qe41giKOxiov17tv7+cZjwWeHBZU2k4Cz+0bjqXuTYQ89DkMjaYiyMamIw2PWL
hg9Ig9hHx01h0grNYXsh/Dv4uZ+JzudiuNgy9in9t7O5CXCPvTBLGu3aac7JCW6U
2AOIOZ5F2aw5+weISpzAlWjuTS4oUvP44C9o9VJXi5gMQCm4LXP15VRqMZkdvfEV
atc6WZRcKvw=
=DJwW
-----END PGP SIGNATURE-----