openSUSE Security Update : calamares (openSUSE-2019-2628)

high Nessus Plugin ID 131689

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for calamares fixes the following issues :

- Launch with 'pkexec calamares' in openSUSE Tumbleweed, but launch with 'xdg-su -c calamares' in openSUSE Leap 15.

Update to Calamares 3.2.15 :

- 'displaymanager' module now treats 'sysconfig' as a regular entry in the 'displaymanagers' list, and the 'sysconfigSetup' key is used as a shorthand to force only that entry in the list.

- 'machineid' module has been re-written in C++ and extended with a new configuration key to generate urandom pool data.

- 'unpackfs' now supports a special 'sourcefs' value of file for copying single files (optionally with renaming) or directory trees to the target system.

- 'unpackfs' now support an 'exclude' and 'excludeFile' setting for excluding particular files or patters from unpacking.

Update to Calamares 3.2.14 :

- 'locale' module no longer recognizes the legacy GeoIP configuration. This has been deprecated since Calamares 3.2.8 and is now removed.

- 'packagechooser' module can now be custom-labeled in the overall progress (left-hand column).

- 'displaymanager' module now recognizes KDE Plasma 5.17.

- 'displaymanager' module now can handle Wayland sessions and can detect sessions from their .desktop files.

- 'unpackfs' now has special handling for sourcefs setting “file”.

Update to Calamares 3.2.13.

More about upstream changes :

https://calamares.io/calamares-3.2.13-is-out/ and https://calamares.io/calamares-3.2.12-is-out/

Update to Calamares 3.2.11 :

- Fix race condition in modules/luksbootkeyfile/main.py (boo#1140256, CVE-2019-13178)

- more about upstream changes in 3.2 versions can be found in https://calamares.io/ and https://github.com/calamares/calamares/releases

Solution

Update the affected calamares packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1140256

https://bugzilla.opensuse.org/show_bug.cgi?id=1152377

https://calamares.io/

https://calamares.io/calamares-3.2.12-is-out/

https://calamares.io/calamares-3.2.13-is-out/

https://github.com/calamares/calamares/releases

Plugin Details

Severity: High

ID: 131689

File Name: openSUSE-2019-2628.nasl

Version: 1.3

Type: local

Agent: unix

Published: 12/4/2019

Updated: 9/23/2020

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:calamares, p-cpe:/a:novell:opensuse:calamares-branding-upstream, p-cpe:/a:novell:opensuse:calamares-debuginfo, p-cpe:/a:novell:opensuse:calamares-debugsource, p-cpe:/a:novell:opensuse:calamares-webview, p-cpe:/a:novell:opensuse:calamares-webview-debuginfo, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 12/3/2019

Vulnerability Publication Date: 7/2/2019

Reference Information

CVE: CVE-2019-13178