Detections
Analytics

openSUSE Security Update : ledger (openSUSE-2019-1779)

high Nessus Plugin ID 126909

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for ledger fixes the following issues :

ledger was updated to 3.1.3 :

 + Properly reject postings with a comment right after the flag (bug #1753)

 + Make sorting order of lot information deterministic (bug #1747)

 + Fix bug in tag value parsing (bug #1702)

 + Remove the org command, which was always a hack to begin with (bug #1706)

 + Provide Docker information in README

 + Various small documentation improvements

This also includes the update to 3.1.2 :

 + Increase maximum length for regex from 255 to 4095 (bug #981)

 + Initialize periods from from/since clause rather than earliest transaction date (bug #1159)

 + Check balance assertions against the amount after the posting (bug #1147)

 + Allow balance assertions with multiple posts to same account (bug #1187)

 + Fix period duration of 'every X days' and similar statements (bug #370)

 + Make option --force-color not require --color anymore (bug #1109)

 + Add quoted_rfc4180 to allow CVS output with RFC 4180 compliant quoting.

 + Add support for --prepend-format in accounts command

 + Fix handling of edge cases in trim function (bug #520)

 + Fix auto xact posts not getting applied to account total during journal parse (bug #552)

 + Transfer null_post flags to generated postings

 + Fix segfault when using --market with --group-by

 + Use amount_width variable for budget report

 + Keep pending items in budgets until the last day they apply

 + Fix bug where .total used in value expressions breaks totals

 + Make automated transactions work with assertions (bug #1127)

 + Improve parsing of date tokens (bug #1626)

 + Don't attempt to invert a value if it's already zero (bug #1703)

 + Do not parse user-specified init-file twice

 + Fix parsing issue of effective dates (bug #1722, TALOS-2017-0303, CVE-2017-2807)

 + Fix use-after-free issue with deferred postings (bug #1723, TALOS-2017-0304, CVE-2017-2808)

 + Fix possible stack overflow in option parsing routine (bug #1222, CVE-2017-12481)

 + Fix possible stack overflow in date parsing routine (bug #1224, CVE-2017-12482)

 + Fix use-after-free when using --gain (bug #541)

 + Python: Removed double quotes from Unicode values.

 + Python: Ensure that parse errors produce useful RuntimeErrors

 + Python: Expose journal expand_aliases

 + Python: Expose journal_t::register_account

 + Improve bash completion

 + Emacs Lisp files have been moved to https://github.com/ledger/ledger-mode

 + Various documentation improvements

Solution

Update the affected ledger packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1052478

https://bugzilla.opensuse.org/show_bug.cgi?id=1052484

https://bugzilla.opensuse.org/show_bug.cgi?id=1105084

https://github.com/ledger/ledger-mode

Plugin Details

Severity: High

ID: 126909

File Name: openSUSE-2019-1779.nasl

Version: 1.3

Type: local

Agent: unix

Published: 7/22/2019

Updated: 9/23/2020

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:ledger, p-cpe:/a:novell:opensuse:ledger-debuginfo, p-cpe:/a:novell:opensuse:ledger-debugsource, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/21/2019

Vulnerability Publication Date: 8/4/2017

Reference Information

CVE: CVE-2017-12481, CVE-2017-12482, CVE-2017-2807, CVE-2017-2808