suse-su-2015:0863-1
Vulnerability from csaf_suse
Published
2015-05-05 23:49
Modified
2015-05-05 23:49
Summary
Security update for SUSE Studio
Notes
Title of the patch
Security update for SUSE Studio
Description of the patch
This update provides SUSE Studio 1.3.10, including Amazon's EC2 support for
SUSE Linux Enterprise 12 appliances.
Additionally, the update includes fixes for the following issues:
* #904372 - Arbitrary file existence disclosure in sprockets gem
(CVE-2014-7819)
* #904375 - Arbitrary file existence disclosure in Action Pack gem
(CVE-2014-7818)
* #918203 - Arbitrary file existence disclosure in Studio Onsite
(CVE-2014-7829)
* #852794 - SLES 11-SP3 templates fail to build x86_64 EC2 images
* #914765 - Change of appliance name is not displayed in appliance's
change log
* #887893 - Change log not accessible via API
* #918239 - Failure to create new appliances after upgrade to Studio
Onsite 1.3.9
* #918395 - Remove 32bit as target for building EC2 appliances
* #912512 - Studio doesn't allow duplicated repositories
* #880078 - Studio packages contain files that get modified (by Studio)
after installation.
* #919037 - Can't open appliance on Gallery: undefined
restructure_unsupportable_packages method.
Security Issues:
* CVE-2014-7819
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7819>
* CVE-2014-7818
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818>
* CVE-2014-7829
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829>
Patchnames
slestso13-susestudio-1310-201502
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for SUSE Studio",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update provides SUSE Studio 1.3.10, including Amazon\u0027s EC2 support for \nSUSE Linux Enterprise 12 appliances.\n\nAdditionally, the update includes fixes for the following issues:\n\n * #904372 - Arbitrary file existence disclosure in sprockets gem\n (CVE-2014-7819)\n * #904375 - Arbitrary file existence disclosure in Action Pack gem\n (CVE-2014-7818)\n * #918203 - Arbitrary file existence disclosure in Studio Onsite\n (CVE-2014-7829)\n * #852794 - SLES 11-SP3 templates fail to build x86_64 EC2 images\n * #914765 - Change of appliance name is not displayed in appliance\u0027s\n change log\n * #887893 - Change log not accessible via API\n * #918239 - Failure to create new appliances after upgrade to Studio\n Onsite 1.3.9\n * #918395 - Remove 32bit as target for building EC2 appliances\n * #912512 - Studio doesn\u0027t allow duplicated repositories\n * #880078 - Studio packages contain files that get modified (by Studio)\n after installation.\n * #919037 - Can\u0027t open appliance on Gallery: undefined\n restructure_unsupportable_packages method.\n\nSecurity Issues:\n\n * CVE-2014-7819\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7819\u003e\n * CVE-2014-7818\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818\u003e\n * CVE-2014-7829\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829\u003e\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "slestso13-susestudio-1310-201502",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_0863-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2015:0863-1",
"url": "https://www.suse.com/support/update/announcement/2015/suse-su-20150863-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2015:0863-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2015-May/001377.html"
},
{
"category": "self",
"summary": "SUSE Bug 852794",
"url": "https://bugzilla.suse.com/852794"
},
{
"category": "self",
"summary": "SUSE Bug 876313",
"url": "https://bugzilla.suse.com/876313"
},
{
"category": "self",
"summary": "SUSE Bug 880078",
"url": "https://bugzilla.suse.com/880078"
},
{
"category": "self",
"summary": "SUSE Bug 887893",
"url": "https://bugzilla.suse.com/887893"
},
{
"category": "self",
"summary": "SUSE Bug 904372",
"url": "https://bugzilla.suse.com/904372"
},
{
"category": "self",
"summary": "SUSE Bug 904375",
"url": "https://bugzilla.suse.com/904375"
},
{
"category": "self",
"summary": "SUSE Bug 912512",
"url": "https://bugzilla.suse.com/912512"
},
{
"category": "self",
"summary": "SUSE Bug 914765",
"url": "https://bugzilla.suse.com/914765"
},
{
"category": "self",
"summary": "SUSE Bug 918203",
"url": "https://bugzilla.suse.com/918203"
},
{
"category": "self",
"summary": "SUSE Bug 918239",
"url": "https://bugzilla.suse.com/918239"
},
{
"category": "self",
"summary": "SUSE Bug 918395",
"url": "https://bugzilla.suse.com/918395"
},
{
"category": "self",
"summary": "SUSE Bug 919037",
"url": "https://bugzilla.suse.com/919037"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-7818 page",
"url": "https://www.suse.com/security/cve/CVE-2014-7818/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-7819 page",
"url": "https://www.suse.com/security/cve/CVE-2014-7819/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-7829 page",
"url": "https://www.suse.com/security/cve/CVE-2014-7829/"
}
],
"title": "Security update for SUSE Studio",
"tracking": {
"current_release_date": "2015-05-05T23:49:58Z",
"generator": {
"date": "2015-05-05T23:49:58Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2015:0863-1",
"initial_release_date": "2015-05-05T23:49:58Z",
"revision_history": [
{
"date": "2015-05-05T23:49:58Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64",
"product": {
"name": "Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64",
"product_id": "Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64"
}
},
{
"category": "product_version",
"name": "susestudio-1.3.10-0.17.45.x86_64",
"product": {
"name": "susestudio-1.3.10-0.17.45.x86_64",
"product_id": "susestudio-1.3.10-0.17.45.x86_64"
}
},
{
"category": "product_version",
"name": "susestudio-bundled-packages-1.3.10-0.17.45.x86_64",
"product": {
"name": "susestudio-bundled-packages-1.3.10-0.17.45.x86_64",
"product_id": "susestudio-bundled-packages-1.3.10-0.17.45.x86_64"
}
},
{
"category": "product_version",
"name": "susestudio-common-1.3.10-0.17.45.x86_64",
"product": {
"name": "susestudio-common-1.3.10-0.17.45.x86_64",
"product_id": "susestudio-common-1.3.10-0.17.45.x86_64"
}
},
{
"category": "product_version",
"name": "susestudio-runner-1.3.10-0.17.45.x86_64",
"product": {
"name": "susestudio-runner-1.3.10-0.17.45.x86_64",
"product_id": "susestudio-runner-1.3.10-0.17.45.x86_64"
}
},
{
"category": "product_version",
"name": "susestudio-sid-1.3.10-0.17.45.x86_64",
"product": {
"name": "susestudio-sid-1.3.10-0.17.45.x86_64",
"product_id": "susestudio-sid-1.3.10-0.17.45.x86_64"
}
},
{
"category": "product_version",
"name": "susestudio-ui-server-1.3.10-0.17.45.x86_64",
"product": {
"name": "susestudio-ui-server-1.3.10-0.17.45.x86_64",
"product_id": "susestudio-ui-server-1.3.10-0.17.45.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Studio Onsite 1.3",
"product": {
"name": "SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-studioonsite:1.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64"
},
"product_reference": "Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "susestudio-1.3.10-0.17.45.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:susestudio-1.3.10-0.17.45.x86_64"
},
"product_reference": "susestudio-1.3.10-0.17.45.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "susestudio-bundled-packages-1.3.10-0.17.45.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:susestudio-bundled-packages-1.3.10-0.17.45.x86_64"
},
"product_reference": "susestudio-bundled-packages-1.3.10-0.17.45.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "susestudio-common-1.3.10-0.17.45.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:susestudio-common-1.3.10-0.17.45.x86_64"
},
"product_reference": "susestudio-common-1.3.10-0.17.45.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "susestudio-runner-1.3.10-0.17.45.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:susestudio-runner-1.3.10-0.17.45.x86_64"
},
"product_reference": "susestudio-runner-1.3.10-0.17.45.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "susestudio-sid-1.3.10-0.17.45.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:susestudio-sid-1.3.10-0.17.45.x86_64"
},
"product_reference": "susestudio-sid-1.3.10-0.17.45.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "susestudio-ui-server-1.3.10-0.17.45.x86_64 as component of SUSE Studio Onsite 1.3",
"product_id": "SUSE Studio Onsite 1.3:susestudio-ui-server-1.3.10-0.17.45.x86_64"
},
"product_reference": "susestudio-ui-server-1.3.10-0.17.45.x86_64",
"relates_to_product_reference": "SUSE Studio Onsite 1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-7818",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-7818"
}
],
"notes": [
{
"category": "general",
"text": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Studio Onsite 1.3:Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64",
"SUSE Studio Onsite 1.3:susestudio-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-bundled-packages-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-common-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-runner-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-sid-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-ui-server-1.3.10-0.17.45.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-7818",
"url": "https://www.suse.com/security/cve/CVE-2014-7818"
},
{
"category": "external",
"summary": "SUSE Bug 903662 for CVE-2014-7818",
"url": "https://bugzilla.suse.com/903662"
},
{
"category": "external",
"summary": "SUSE Bug 905727 for CVE-2014-7818",
"url": "https://bugzilla.suse.com/905727"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Studio Onsite 1.3:Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64",
"SUSE Studio Onsite 1.3:susestudio-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-bundled-packages-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-common-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-runner-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-sid-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-ui-server-1.3.10-0.17.45.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-05-05T23:49:58Z",
"details": "low"
}
],
"title": "CVE-2014-7818"
},
{
"cve": "CVE-2014-7819",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-7819"
}
],
"notes": [
{
"category": "general",
"text": "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Studio Onsite 1.3:Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64",
"SUSE Studio Onsite 1.3:susestudio-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-bundled-packages-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-common-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-runner-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-sid-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-ui-server-1.3.10-0.17.45.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-7819",
"url": "https://www.suse.com/security/cve/CVE-2014-7819"
},
{
"category": "external",
"summary": "SUSE Bug 903658 for CVE-2014-7819",
"url": "https://bugzilla.suse.com/903658"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Studio Onsite 1.3:Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64",
"SUSE Studio Onsite 1.3:susestudio-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-bundled-packages-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-common-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-runner-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-sid-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-ui-server-1.3.10-0.17.45.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-05-05T23:49:58Z",
"details": "low"
}
],
"title": "CVE-2014-7819"
},
{
"cve": "CVE-2014-7829",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-7829"
}
],
"notes": [
{
"category": "general",
"text": "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \\ (backslash) character, a similar issue to CVE-2014-7818.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Studio Onsite 1.3:Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64",
"SUSE Studio Onsite 1.3:susestudio-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-bundled-packages-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-common-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-runner-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-sid-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-ui-server-1.3.10-0.17.45.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-7829",
"url": "https://www.suse.com/security/cve/CVE-2014-7829"
},
{
"category": "external",
"summary": "SUSE Bug 905727 for CVE-2014-7829",
"url": "https://bugzilla.suse.com/905727"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Studio Onsite 1.3:Containment-Studio-SLE11_SP3-5.05.81-20150505234825.x86_64",
"SUSE Studio Onsite 1.3:susestudio-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-bundled-packages-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-common-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-runner-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-sid-1.3.10-0.17.45.x86_64",
"SUSE Studio Onsite 1.3:susestudio-ui-server-1.3.10-0.17.45.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-05-05T23:49:58Z",
"details": "moderate"
}
],
"title": "CVE-2014-7829"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…