Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

              SUSE-SU-2019:1220-2 Security update for cf-cli
                                3 July 2019


        AusCERT Security Bulletin Summary

Product:           cf-cli
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-3781  

Reference:         ESB-2019.1685

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for cf-cli


Announcement ID:   SUSE-SU-2019:1220-2
Rating:            moderate
References:        #1132242
Cross-References:  CVE-2019-3781
Affected Products:
                   SUSE Linux Enterprise Module for CAP 15-SP1

An update that fixes one vulnerability is now available.


This update for cf-cli fixes the following issues:
cf-cli was updated: to version 6.43.0 (bsc#1132242)
Enhancements :

  o `cf curl` supports a new `--fail` flag (primarily for scripting purposes)
    which returns exit code `22` for server errors [story](https://
  o Improves `cf delete-orphaned-routes` such that it uses a different
    endpoint, reducing the chance of a race condition when two users are
    simultaneously deleting orphaned routes and associating routes with
    applications [story](https://www.pivotaltracker.com/story/show/163156064)
  o we've improved the speed of cf services - it now hits a single endpoint
    instead of making individual API calls


  o CVE-2019-3781: CF CLI does not sanitize user  s password in verbose/trace/
  o Fixes issue with running cf login in verbose mode whereby passwords which
    contains regex were not completely redacted
  o Fixes issue whilst running commands in verbose mode refresh tokens were not
    completely redacted

Other Bug Fixes:

  o Updates help text for cf curlstory
  o Now refresh tokens work properly whilst using cf curl with V3 CC API
    endpoints story
  o Fixes performance degradation for cf services story
  o cf delete-service requires that you are targeting a space story
  o cf enable-service access for a service in an org will succeed if you have
    already enabled access for that service in that org story

cf-cli was updated to version 6.42.0:
Minor Enhancements:

  o updated `cf restage` help text and the first line in the command's output
    to indicate that using this command will cause app downtime [story](https:/
  o updated the `cf bind-route-service` help text to clarify usage instructions
  o improved an error message for `cf create-service-boker` to be more helpful
    when the CC API returns a `502` due to an invalid service broker catalog
  o upgraded to Golang 1.11.4 [story](https://www.pivotaltracker.com/story/show
  o added a short name `ue` for `cf unset-env` [story](https://
  o updated `cf marketplace` command to include a new `broker` column to
    prepare for a upcoming services-related feature which will allow services
    to have the same name as long as they are associated with different service
    brokers [story](https://www.pivotaltracker.com/story/show/162699756)


  o fix for `cf enable-service-access -p plan` whereby when we refactored the
    code in CLI `v6.41.0` it created service plan visibilities as part of a
    subsequent run of the command (the unrefactored code skipped creating the
    service plan visibilities); now the command will skip creating service plan
    visibilities as it did prior to the refactor [story](https://
  o updated the `cf rename-buildpack` help text which was missing reference to
    the `-s` stack flag [story](https://www.pivotaltracker.com/story/show/
  o updated help text for when users use `brew search cloudfoundry-cli` [story]
  o now when you run `cf service service-instance` for a route service, the
    route service url appears in the key value table [story](https://

Update to version 6.41.0:

  o updated `cf --help` to include the `delete` command [story](https://

Update to version 6.40.1:
Bug Fixes:

  o Updates the minimum version for the buildpacks-stacks association feature.
    In [CLI v6.39.0](https://github.com/cloudfoundry/cli/releases/tag/v6.39.0),
    when the feature was released, we incorrectly set the minimum to cc api
    version as`2.114`. The minimum cc api version is now correctly set to

[`2.112`](https://github.com/cloudfoundry/capi-release/releases/tag/1.58.0) .
Fixes a bug with inspecting a service instance `cf service service-instance`,
now the `documentation` url displays correctly for services which populate that
field [story](https://www.pivotaltracker.com/story/show/161251875)
Update to version 6.40.0:
Bug Fixes:

  o Fix bug where trailing slash on cf api would break listing commands for
    older CC APIs story. For older versions of CC API, if the API URL had a
    trailing slash, some requests would fail with an "Unknown request" error.
    These requests are now handled properly.

Update to version 6.39.0:

  o for users on cc api 3.27, cf start is enhanced to display the new cf app v3
    output. For users on cc api 3.27 or lower, users will see the same v2
    output. Note that if you use v3 commands to create and start your app, if
    you subsequently use cf stop and cf start, the routes property in cf app
    will not populate even though the route exists story
  o for users on cc api 3.27, cf restart is enhanced to display the new cf app
    v3 output. For users on cc api 3.27 or lower, users will see the same v2
    output. story
  o for users on cc api 3.27, cf restage is enhanced to display the new cf app
    v3 output. For users on cc api 3.27 or lower, users will see the same v2
    output. story
  o improved help text for -d domains for cf push to include examples of usage
  o cf v3-scale displays additional app information story
  o if you've created an internal domain, and it is the first domain in cc, the
    CLI will now ignore the internal domain and instead choose the next
    non-internal domain when you push an app story

Bug Fixes:

  o Fix for users on macOS attempting to brew install cf-cli the CF CLI using
    the unreleased master branch of Homebrew story
  o Fixes an issue whereby, due to a recent cc api change, when you execute cf
    push and watch the cf app command, the app display returned a 400 error
  o Fixes a bug whereby if you logged in using client credentials, cf auth user
    pass --client credentials you were unable to create an org; now create-org
    will assign the role to the user id specified in your manifest story
  o fixes an issue introduced when we refactored cf start and as part of that
    work, we stopped blocking on the initial connection with the logging
    backend; now the CLI blocks until the NOAA connection is made, or the
    default dial timeout of five seconds is reached story

update to version 6.38.0:

  o v3-ssh process type now defaults to web story
  o Support added for setting tags for user provided service instances story
  o Now a warning appears if you attempt to use deprecated properties and
    variable substitution story
  o Updated usage so now you can rename the cf binary use it with every command
  o cf events now displays the Diego cell_id and instance guid in crash events
  o Includes cf service service-instance table display improvements wherein the
    service instance information is now grouped separately from the binding
    information story
  o cf service service-instance table display information for user provided
    services changed: status has been added to the table story

Bug Fixes:

  o the CLI now properly handles escaped commas in the X-Cf-Warnings header

Update to version 6.37.0:

  o The api/cloudcontroller/ccv2 package has been updated with more functions #
  o Now a warning appears if you are using a API version older than 2.69.0,
    which is no longer officially supported
  o Now the CLI reads the username and password from the environment variables

Bug Fixes:

  o Fixes bug whereby X-Cf-Warnings were not being unescaped when displayed to
    user #1361
  o When using CF_TRACE=1, passwords are now sanitized #1375 and tracker

Update to version 6.36.0:
Bug Fixes:

  o int64 support for cf/flags library, #1333
  o Debian package, #1336
  o Web action flag not working on CLI 0.6.5, #1337
  o When a cf push upload fails/Consul is down, a panic occurs, #1340 and #1351

update to version 6.35.2:
Bug Fixes:

  o Providing a clearer services authorization warning message when a service
    has been disabled for the organization, fixing #1344

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for CAP 15-SP1:
    zypper in -t patch SUSE-SLE-Module-CAP-Tools-15-SP1-2019-1220=1

Package List:

  o SUSE Linux Enterprise Module for CAP 15-SP1 (x86_64):


  o https://www.suse.com/security/cve/CVE-2019-3781.html
  o https://bugzilla.suse.com/1132242

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967