-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.2565.3
                        Security update for cobbler
                             5 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           cobbler
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Increased Privileges   -- Remote/Unauthenticated      
                   Create Arbitrary Files -- Remote/Unauthenticated      
                   Cross-site Scripting   -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000226 CVE-2018-1000225 CVE-2018-10931

Reference:         ESB-2018.2299

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20182550-1/
   https://www.suse.com/support/update/announcement/2018/suse-su-20182551-1/
   https://www.suse.com/support/update/announcement/2018/suse-su-20182561-1/
   https://www.suse.com/support/update/announcement/2018/suse-su-20182608-1/

Comment: This bulletin contains four (4) SUSE security advisories.

Revision History:  September  5 2018: Added SUSE-SU-2018:2608-1
                   August    31 2018: Added additional bulletin
                   August    30 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for cobbler
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2550-1
Rating:             important
References:         #1104189 #1104287
Cross-References:   CVE-2018-10931
Affected Products:
                    SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS
                    SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS
______________________________________________________________________________

   An update that solves one vulnerability and has one errata
   is now available.

Description:

   This update for cobbler fixes the following issues:

   Security issue fixed:

   - CVE-2018-10931: Forbid exposure of private methods in the API
     (bsc#1104287, bsc#1104189)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
   methods like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS:

      zypper in -t patch slesctsp4-cobbler-13758=1

   - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS:

      zypper in -t patch slesctsp3-cobbler-13758=1



Package List:

   - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (i586 ia64 ppc64 s390x
     x86_64):

      koan-2.2.2-0.68.6.1

   - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (i586 ia64 ppc64 s390x
     x86_64):

      koan-2.2.2-0.68.6.1


References:

   https://www.suse.com/security/cve/CVE-2018-10931.html
   https://bugzilla.suse.com/1104189
   https://bugzilla.suse.com/1104287

- -------------------------------------------------------------------------------

   SUSE Security Update: Security update for cobbler
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2551-1
Rating:             important
References:         #1101670 #1104189 #1104190 #1104287 #1105440
                    #1105442
Cross-References:   CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931

Affected Products:
                    SUSE Manager Server 3.2
______________________________________________________________________________

   An update that solves three vulnerabilities and has three
   fixes is now available.

Description:

   This update for cobbler fixes the following issues:

   Security issues fixed:

   - Forbid exposure of private methods in the API (CVE-2018-10931,
     CVE-2018-1000225, bsc#1104287, bsc#1104189, bsc#1105442)
   - Check access token when calling 'modify_setting' API endpoint
     (bsc#1104190, bsc#1105440, CVE-2018-1000226)

   Other bugs fixed:

   - Fix kernel options when generating bootiso (bsc#1101670)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
   methods like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 3.2:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2018-1788=1



Package List:

   - SUSE Manager Server 3.2 (noarch):

      cobbler-2.6.6-6.7.1


References:

   https://www.suse.com/security/cve/CVE-2018-1000225.html
   https://www.suse.com/security/cve/CVE-2018-1000226.html
   https://www.suse.com/security/cve/CVE-2018-10931.html
   https://bugzilla.suse.com/1101670
   https://bugzilla.suse.com/1104189
   https://bugzilla.suse.com/1104190
   https://bugzilla.suse.com/1104287
   https://bugzilla.suse.com/1105440
   https://bugzilla.suse.com/1105442

- -------------------------------------------------------------------------------

   SUSE Security Update: Security update for cobbler
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2561-1
Rating:             important
References:         #1097733 #1101670 #1104189 #1104190 #1104287
                    #1105440 #1105442
Cross-References:   CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931

Affected Products:
                    SUSE OpenStack Cloud 8
                    SUSE Manager Tools 12
                    SUSE Manager Server 3.0
                    HPE Helion Openstack 8
______________________________________________________________________________

   An update that solves three vulnerabilities and has four
   fixes is now available.

Description:

   This update for cobbler fixes the following issues:

   Security issues fixed:

   - Forbid exposure of private methods in the API (CVE-2018-10931,
     CVE-2018-1000225, bsc#1104287, bsc#1104189, bsc#1105442)
   - Check access token when calling 'modify_setting' API endpoint
     (bsc#1104190, bsc#1105440, CVE-2018-1000226)

   Other bugs fixed:

   - Do not try to hardlink to a symlink. The result will be a dangling
     symlink in the general case. (bsc#1097733)
   - fix kernel options when generating bootiso (bsc#1101670)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
   methods like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 8:

      zypper in -t patch SUSE-OpenStack-Cloud-8-2018-1795=1

   - SUSE Manager Tools 12:

      zypper in -t patch SUSE-SLE-Manager-Tools-12-2018-1795=1

   - SUSE Manager Server 3.0:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.0-2018-1795=1

   - HPE Helion Openstack 8:

      zypper in -t patch HPE-Helion-OpenStack-8-2018-1795=1



Package List:

   - SUSE OpenStack Cloud 8 (noarch):

      cobbler-2.6.6-49.14.1

   - SUSE Manager Tools 12 (noarch):

      koan-2.6.6-49.14.1

   - SUSE Manager Server 3.0 (noarch):

      cobbler-2.6.6-49.14.1

   - HPE Helion Openstack 8 (noarch):

      cobbler-2.6.6-49.14.1


References:

   https://www.suse.com/security/cve/CVE-2018-1000225.html
   https://www.suse.com/security/cve/CVE-2018-1000226.html
   https://www.suse.com/security/cve/CVE-2018-10931.html
   https://bugzilla.suse.com/1097733
   https://bugzilla.suse.com/1101670
   https://bugzilla.suse.com/1104189
   https://bugzilla.suse.com/1104190
   https://bugzilla.suse.com/1104287
   https://bugzilla.suse.com/1105440
   https://bugzilla.suse.com/1105442

- -------------------------------------------------------------------------------

   SUSE Security Update: Security update for cobbler
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2608-1
Rating:             important
References:         #1101670 #1104189 #1104190 #1104287 #1105440 
                    #1105442 
Cross-References:   CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931
                   
Affected Products:
                    SUSE Manager Server 3.1
______________________________________________________________________________

   An update that solves three vulnerabilities and has three
   fixes is now available.

Description:

   This update for cobbler fixes the following issues:

   Security issues fixed:

   - Forbid exposure of private methods in the API (CVE-2018-10931,
     CVE-2018-1000225, bsc#1104287, bsc#1104189, bsc#1105442)
   - Check access token when calling 'modify_setting' API endpoint
     (bsc#1104190, bsc#1105440, CVE-2018-1000226)

   Other bugs fixed:

   - Fix kernel options when generating bootiso (bsc#1101670)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 3.1:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-1832=1



Package List:

   - SUSE Manager Server 3.1 (noarch):

      cobbler-2.6.6-5.17.1


References:

   https://www.suse.com/security/cve/CVE-2018-1000225.html
   https://www.suse.com/security/cve/CVE-2018-1000226.html
   https://www.suse.com/security/cve/CVE-2018-10931.html
   https://bugzilla.suse.com/1101670
   https://bugzilla.suse.com/1104189
   https://bugzilla.suse.com/1104190
   https://bugzilla.suse.com/1104287
   https://bugzilla.suse.com/1105440
   https://bugzilla.suse.com/1105442

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW49LvmaOgq3Tt24GAQj4IA//TC3Jt+V9aqKzexF/RDz14aX60+jBhxrQ
V22YG85v8RWdNkJiRtNnHa5reHMiZb8O49AGVh7uviNpoeoIwh/CoyUkwPN/mjoc
jXl55SKKEXpG3gzirsFJbFa7b4gflGmTBNfQRYgdq6+lqKgGjv1ZwMHmxCxfA97X
V9Wj73hr0ILfSBhfLB0IaD3PvCzbcuVcztO4FunXphlBF1303fJT101nUn/0C8Oa
0oTVlmpjOp7Tli/Y5DZU1bjNH2AohwJ6s2ojbkJrRW/8pO5widYDi7B5f7L1beNS
co/xmALxnZYc1E4mOgVVPiNggRPw1xe3PIQtRCQlZurVL8451EpoKipzJ2haJzfL
SGYTwkolbCc9mvvRWtGJecdJWFjMKhiQRrSwhZCW1FreXAjpRAou0BVo2YaBlI7d
yTjALm5AVJWQHrpLVKFWlkyxoY0kJrSTDDvGfPyCHlC/uTn91D6XRpUVFj2zpaMW
QaPrXFnh0kuQ5FHwV/5eUTGV7OZG4w6RRq23y24g1lsS1kcLf3MgrMgSzKkw5HzO
O6npbInt1JSVJ7VCjnQmxmHRYI/k6yC3/zARzZHgrg/dNjfp9k2tj7TO5+GvkpQv
U5QgCfC7FDiAsFaUW4v4HqX2q89wxkKUzV0JH5SIbfooRCyeLSQTCDddSSMx4mcg
Q4PyaH2Wwh0=
=kYGn
-----END PGP SIGNATURE-----