Detections
Analytics

SUSE SLED12: atk-devel / atk-doc / atk-lang / dragonbox-devel / fixmath-devel / etc (SUSE-SU-2024:0075-1)

high Nessus Plugin ID 187939

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED12 / SLED_SAP12 / SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0075-1 advisory.

 libreoffice:

 - Version update from 7.3.6.2 to 7.5.4.1 (jsc#PED-3561, jsc#PED-3550, jsc#PED-1785):
 * For the highlights of changes of version 7.5 please consult the official release notes:
 https://wiki.documentfoundation.org/ReleaseNotes/7.5
 * For the highlights of changes of version 7.4 please consult the official release notes:
 https://wiki.documentfoundation.org/ReleaseNotes/7.4
 * Security issues fixed:
 - CVE-2023-0950: Fixed stack underflow in ScInterpreter (bsc#1209242)
 - CVE-2023-2255: Fixed vulnerability where remote documents could be loaded without prompt via IFrame (bsc#1211746)
 * Bug fixes:
 - Fix PPTX shadow effect for table offset (bsc#1204040)
 - Fix ability to set the default tab size for each text object (bsc#1198666)
 - Fix PPTX extra vertical space between different text formats (bsc#1200085)
 - Do not use binutils-gold as the package is unmaintainedd and will be removed in the future (bsc#1210687)
 * Updated bundled dependencies:
 * boost version update from 1_77_0 to 1_80_0
 * curl version update from 7.83.1 to 8.0.1
 * icu4c-data version update from 70_1 to 72_1
 * icu4c version update from 70_1 to 72_1
 * pdfium version update from 4699 to 5408
 * poppler version update from 21.11.0 to 22.12.0
 * poppler-data version update from 0.4.10 to 0.4.11
 * skia version from m97-a7230803d64ae9d44f4e128244480111a3ae967 to m103-b301ff025004c9cd82816c86c547588e6c24b466
 * New build dependencies:
 * fixmath-devel
 * libwebp-devel
 * zlib-devel
 * dragonbox-devel
 * at-spi2-core-devel
 * libtiff-devel

 dragonbox:

 - New package at version 1.1.3 (jsc#PED-1785)
 * New dependency for LibreOffice 7.4

 fixmath:

 - New package at version 2022.07.20 (jsc#PED-1785)
 * New dependency for LibreOffice 7.4

 libmwaw:

 - Version update from 0.3.20 to 0.3.21 (jsc#PED-1785):
 * Add debug code to read some private rsrc data
 * Allow to read some MacWrite which does not have printer informations
 * Add a parser for Scoop files
 * Add a parser for ScriptWriter files
 * Add a parser for ReadySetGo 1-4 files

 xmlsec1:

 - Version update from 1.2.28 to 1.2.37 required by LibreOffice 7.5.2.2 (jsc#PED-3561, jsc#PED-3550):
 * Retired the XMLSec mailing list '[email protected]' and the XMLSec Online Signature Verifier.
 * Migration to OpenSSL 3.0 API Note that OpenSSL engines are disabled by default when XMLSec library is compiled against OpenSSL 3.0.
 To re-enable OpenSSL engines, use `--enable-openssl3-engines` configure flag (there will be a lot of deprecation warnings).
 * The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and will be removed in the future versions of XMLSec Library.
 * Refactored all the integer casts to ensure cast-safety. Fixed all warnings and enabled `-Werror` and `-pedantic` flags on CI builds.
 * Added configure flag to use size_t for xmlSecSize (currently disabled by default for backward compatibility).
 * Support for OpenSSL compiled with OPENSSL_NO_ERR.
 * Full support for LibreSSL 3.5.0 and above
 * Several other small fixes
 * Fix decrypting session key for two recipients
 * Added `--privkey-openssl-engine` option to enhance openssl engine support
 * Remove MD5 for NSS 3.59 and above
 * Fix PKCS12_parse return code handling
 * Fix OpenSSL lookup
 * xmlSecX509DataGetNodeContent(): don't return 0 for non-empty elements - fix for LibreOffice
 * Unload error strings in OpenSSL shutdown.
 * Make userData available when executing preExecCallback function
 * Add an option to use secure memset.
 * Enabled XML_PARSE_HUGE for all xml parsers.
 * Various build and tests fixes and improvements.
 * Move remaining private header files away from xmlsec/include/`` folder
 - Other packaging changes:
 * Relax the crypto policies for the test-suite. It allows the tests using certificates with small key lengths to pass.
 * Pass `--disable-md5` to configure: The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1] https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1198666

https://bugzilla.suse.com/1200085

https://bugzilla.suse.com/1204040

https://bugzilla.suse.com/1209242

https://bugzilla.suse.com/1210687

https://bugzilla.suse.com/1211746

https://www.suse.com/security/cve/CVE-2023-0950

https://www.suse.com/security/cve/CVE-2023-2255

http://www.nessus.org/u?c1eb8062

Plugin Details

Severity: High

ID: 187939

File Name: suse_SU-2024-0075-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 1/11/2024

Updated: 6/25/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, tenable_cloud_security, tenable_self_hosted_container_security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-0950

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:libreoffice-writer-extensions, p-cpe:/a:novell:suse_linux:libreoffice-l10n-sk, p-cpe:/a:novell:suse_linux:xmlsec1-nss-devel, p-cpe:/a:novell:suse_linux:libreoffice-l10n-gu, p-cpe:/a:novell:suse_linux:libreoffice-l10n-ja, p-cpe:/a:novell:suse_linux:libxmlsec1-nss1, p-cpe:/a:novell:suse_linux:libreoffice-l10n-lt, p-cpe:/a:novell:suse_linux:libreoffice-l10n-zu, p-cpe:/a:novell:suse_linux:libreoffice-l10n-zh_tw, p-cpe:/a:novell:suse_linux:libreoffice-l10n-it, p-cpe:/a:novell:suse_linux:libreoffice-l10n-zh_cn, p-cpe:/a:novell:suse_linux:libreoffice-officebean, p-cpe:/a:novell:suse_linux:xmlsec1-gcrypt-devel, p-cpe:/a:novell:suse_linux:atk-lang, p-cpe:/a:novell:suse_linux:libreoffice-mailmerge, p-cpe:/a:novell:suse_linux:libreoffice-l10n-uk, p-cpe:/a:novell:suse_linux:libreoffice-branding-upstream, p-cpe:/a:novell:suse_linux:libreoffice-l10n-pt_pt, p-cpe:/a:novell:suse_linux:libxmlsec1-gcrypt1, p-cpe:/a:novell:suse_linux:xmlsec1, p-cpe:/a:novell:suse_linux:libreoffice-icon-themes, p-cpe:/a:novell:suse_linux:libreoffice-l10n-fi, p-cpe:/a:novell:suse_linux:libreoffice-l10n-nn, p-cpe:/a:novell:suse_linux:libreoffice-l10n-pt_br, p-cpe:/a:novell:suse_linux:xmlsec1-devel, p-cpe:/a:novell:suse_linux:libreoffice-librelogo, p-cpe:/a:novell:suse_linux:xmlsec1-gnutls-devel, p-cpe:/a:novell:suse_linux:libreoffice-l10n-ar, p-cpe:/a:novell:suse_linux:libreoffice-l10n-hi, p-cpe:/a:novell:suse_linux:libmwaw-0_3-3, p-cpe:/a:novell:suse_linux:libreoffice-filters-optional, p-cpe:/a:novell:suse_linux:atk-devel, p-cpe:/a:novell:suse_linux:libxmlsec1-gnutls1, p-cpe:/a:novell:suse_linux:libxmlsec1-openssl1, p-cpe:/a:novell:suse_linux:libreoffice-l10n-nl, p-cpe:/a:novell:suse_linux:libreoffice-l10n-es, p-cpe:/a:novell:suse_linux:fixmath-devel, p-cpe:/a:novell:suse_linux:libreoffice-l10n-af, p-cpe:/a:novell:suse_linux:xmlsec1-openssl-devel, p-cpe:/a:novell:suse_linux:libreoffice-l10n-ro, p-cpe:/a:novell:suse_linux:dragonbox-devel, p-cpe:/a:novell:suse_linux:libatk-1_0-0-32bit, p-cpe:/a:novell:suse_linux:libreoffice-base, p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-postgresql, p-cpe:/a:novell:suse_linux:libxmlsec1-1, p-cpe:/a:novell:suse_linux:libreoffice-l10n-de, p-cpe:/a:novell:suse_linux:libreoffice-l10n-fr, p-cpe:/a:novell:suse_linux:libreoffice-l10n-hr, p-cpe:/a:novell:suse_linux:libreoffice-l10n-bg, p-cpe:/a:novell:suse_linux:libreoffice-sdk, p-cpe:/a:novell:suse_linux:libatk-1_0-0, p-cpe:/a:novell:suse_linux:libreoffice-l10n-ko, p-cpe:/a:novell:suse_linux:libreoffice-l10n-sv, p-cpe:/a:novell:suse_linux:libreoffice-l10n-pl, p-cpe:/a:novell:suse_linux:libreoffice-l10n-xh, p-cpe:/a:novell:suse_linux:libreoffice-calc-extensions, p-cpe:/a:novell:suse_linux:libreoffice-impress, p-cpe:/a:novell:suse_linux:libmwaw-devel, p-cpe:/a:novell:suse_linux:libmwaw-devel-doc, p-cpe:/a:novell:suse_linux:libreoffice-gtk3, p-cpe:/a:novell:suse_linux:libreoffice, p-cpe:/a:novell:suse_linux:libreoffice-l10n-da, p-cpe:/a:novell:suse_linux:libreoffice-l10n-en, p-cpe:/a:novell:suse_linux:atk-doc, p-cpe:/a:novell:suse_linux:libreoffice-l10n-nb, p-cpe:/a:novell:suse_linux:libreoffice-gnome, p-cpe:/a:novell:suse_linux:libreoffice-calc, p-cpe:/a:novell:suse_linux:libreoffice-writer, p-cpe:/a:novell:suse_linux:libreoffice-draw, p-cpe:/a:novell:suse_linux:libreoffice-pyuno, p-cpe:/a:novell:suse_linux:libreoffice-l10n-hu, cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:libreoffice-l10n-ru, p-cpe:/a:novell:suse_linux:libreoffice-l10n-cs, p-cpe:/a:novell:suse_linux:libreoffice-math, p-cpe:/a:novell:suse_linux:typelib-1_0-atk-1_0, p-cpe:/a:novell:suse_linux:libreoffice-l10n-ca

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 1/10/2024

Vulnerability Publication Date: 5/25/2023

Reference Information

CVE: CVE-2023-0950, CVE-2023-2255

IAVB: 2023-B-0037-S

SuSE: SUSE-SU-2024:0075-1