SUSE SLES12 Security Update : osc (SUSE-SU-2022:4351-1)

critical Nessus Plugin ID 168492

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:4351-1 advisory.

osc was updated to version 0.182.0 (bsc#1154972, bsc#1144211, bsc#1142662, bsc#1140697, bsc#1138165):

- Added MFA support (jsc#OBS-203).
- CVE-2019-3681: Fixed vulnerability where osc stored downloaded RPMs in network controlled paths (bsc#1122675).
- CVE-2019-3685: Fixed broken TLS certificate handling (bsc#1142518).

Bugfixes:
- Removed use of chardet to guess encoding. Utf-8 or latin-1 is now assumed, which will speed up decoding (bsc#1173926).
- Added helper method _html_escape to enable python3.8 and python2.* compatibility (bsc#1166537).
- Added MR creation to honor orev (bsc#1160446).
- Fixed local build outside of the working copy of a package (bsc#1136584).
- Don't enforce password reuse (bsc#1156501).
- osc vc --file=foo bar.changes now writes the content from foo into bar.changes instead of creating a new file (bsc#1155953).
- Fixed decoding on osc lbl (bsc#1137477).
- Simplified and fixed osc meta -e (bsc#1138977).
- osc lbl now works with non utf8 encoding (bsc#1129889).
- Added full python3 compatibility (bsc#1125243, bsc#1131512, bsc#1129757).
- Fixed slowdown of rbl with readline(bufsize) function (bsc#1127932).
- Fixed osc build -p dir TypeError (bsc#1126055).
- Fixed osc buildinfo -p TypeError (bsc#1126058).
- Added new options --unexpand and --meta to diff command (bsc#1089025).
- Fixed Requires to python-base which does not contain ssl.py (bsc#1097996).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected osc package.

See Also

https://bugzilla.suse.com/1089025

https://bugzilla.suse.com/1097996

https://bugzilla.suse.com/1122675

https://bugzilla.suse.com/1125243

https://bugzilla.suse.com/1126055

https://bugzilla.suse.com/1126058

https://bugzilla.suse.com/1127932

https://bugzilla.suse.com/1129757

https://bugzilla.suse.com/1129889

https://bugzilla.suse.com/1131512

https://bugzilla.suse.com/1136584

https://bugzilla.suse.com/1137477

https://bugzilla.suse.com/1138165

https://bugzilla.suse.com/1138977

https://bugzilla.suse.com/1140697

https://bugzilla.suse.com/1142518

https://bugzilla.suse.com/1142662

https://bugzilla.suse.com/1144211

https://bugzilla.suse.com/1154972

https://bugzilla.suse.com/1155953

https://bugzilla.suse.com/1156501

https://bugzilla.suse.com/1160446

https://bugzilla.suse.com/1166537

https://bugzilla.suse.com/1173926

https://www.suse.com/security/cve/CVE-2019-3681

https://www.suse.com/security/cve/CVE-2019-3685

http://www.nessus.org/u?6dd78780

Plugin Details

Severity: Critical

ID: 168492

File Name: suse_SU-2022-4351-1.nasl

Version: 1.6

Type: Local

Agent: unix

Published: 12/8/2022

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-3685

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-3681

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:osc

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/7/2022

Vulnerability Publication Date: 11/5/2019

Reference Information

CVE: CVE-2019-3681, CVE-2019-3685

SuSE: SUSE-SU-2022:4351-1