openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2024:3785-1)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.856635

Categoría: openSUSE Local Security Checks

Título: openSUSE Security Advisory (SUSE-SU-2024:3785-1)

Resumen: The remote host is missing an update for the 'pcp' package(s) announced via the SUSE-SU-2024:3785-1 advisory.

Descripción: Summary:
The remote host is missing an update for the 'pcp' package(s) announced via the SUSE-SU-2024:3785-1 advisory.

Vulnerability Insight:
This update for pcp fixes the following issues:

pcp was updated from version 5.2.5 to version 6.2.0 (jsc#PED-8192, jsc#PED-8389):

- Security issues fixed:

* CVE-2024-45770: Fixed a symlink attack that allows escalating from the pcp to the root user (bsc#1230552)
* CVE-2024-45769: Fixed a heap corruption through metric pmstore operations (bsc#1230551)
* CVE-2023-6917: Fixed local privilege escalation from pcp user to root in /usr/libexec/pcp/lib/pmproxy (bsc#1217826)

- Major changes:

* Add version 3 PCP archive support: instance domain change-deltas,
Y2038-safe timestamps, nanosecond-precision timestamps, arbitrary timezones support, 64-bit file offsets used
throughout for larger (beyond 2GB) individual volumes
+ Opt-in using the /etc/pcp.conf PCP_ARCHIVE_VERSION setting
+ Version 2 archives remain the default (for next few years)
* Switch to using OpenSSL only throughout PCP (dropped NSS/NSPR),
this impacts on libpcp, PMAPI clients and PMCD use of encryption,
these are now configured and used consistently with pmproxy HTTPS support and redis-server, which were both already
using OpenSSL.
* New nanosecond precision timestamp PMAPI calls for PCP library interfaces that make use of timestamps
These are all optional, and full backward compatibility is preserved for existing tools.
* For the full list of changes please consult the packaged CHANGELOG file

- Other packaging changes:

* Moved pmlogger_daily into the main package (bsc#1222815)
* Change dependency from openssl-devel >= 1.1.1 to openssl-devel >= 1.0.2p.
Required for SLE-12
* Introduce 'pmda-resctrl' package, disabled for architectures other than x86_64
* Change the architecture for various subpackages to 'noarch' as they contain no binaries
* Disable 'pmda-mssql', as it fails to build

Affected Software/OS:
'pcp' package(s) on openSUSE Leap 15.5.

Solution:
Please install the updated package(s).

CVSS Score:
6.5

CVSS Vector:
AV:L/AC:L/Au:M/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2023-6917
RHBZ#2254983
https://bugzilla.redhat.com/show_bug.cgi?id=2254983
RHSA-2024:2213
https://access.redhat.com/errata/RHSA-2024:2213
https://access.redhat.com/security/cve/CVE-2023-6917
Common Vulnerability Exposure (CVE) ID: CVE-2024-45769
Common Vulnerability Exposure (CVE) ID: CVE-2024-45770

Copyright Copyright (C) 2024 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.856635
Categoría:	openSUSE Local Security Checks
Título:	openSUSE Security Advisory (SUSE-SU-2024:3785-1)
Resumen:	The remote host is missing an update for the 'pcp' package(s) announced via the SUSE-SU-2024:3785-1 advisory.
Descripción:	Summary: The remote host is missing an update for the 'pcp' package(s) announced via the SUSE-SU-2024:3785-1 advisory. Vulnerability Insight: This update for pcp fixes the following issues: pcp was updated from version 5.2.5 to version 6.2.0 (jsc#PED-8192, jsc#PED-8389): - Security issues fixed: * CVE-2024-45770: Fixed a symlink attack that allows escalating from the pcp to the root user (bsc#1230552) * CVE-2024-45769: Fixed a heap corruption through metric pmstore operations (bsc#1230551) * CVE-2023-6917: Fixed local privilege escalation from pcp user to root in /usr/libexec/pcp/lib/pmproxy (bsc#1217826) - Major changes: * Add version 3 PCP archive support: instance domain change-deltas, Y2038-safe timestamps, nanosecond-precision timestamps, arbitrary timezones support, 64-bit file offsets used throughout for larger (beyond 2GB) individual volumes + Opt-in using the /etc/pcp.conf PCP_ARCHIVE_VERSION setting + Version 2 archives remain the default (for next few years) * Switch to using OpenSSL only throughout PCP (dropped NSS/NSPR), this impacts on libpcp, PMAPI clients and PMCD use of encryption, these are now configured and used consistently with pmproxy HTTPS support and redis-server, which were both already using OpenSSL. * New nanosecond precision timestamp PMAPI calls for PCP library interfaces that make use of timestamps These are all optional, and full backward compatibility is preserved for existing tools. * For the full list of changes please consult the packaged CHANGELOG file - Other packaging changes: * Moved pmlogger_daily into the main package (bsc#1222815) * Change dependency from openssl-devel >= 1.1.1 to openssl-devel >= 1.0.2p. Required for SLE-12 * Introduce 'pmda-resctrl' package, disabled for architectures other than x86_64 * Change the architecture for various subpackages to 'noarch' as they contain no binaries * Disable 'pmda-mssql', as it fails to build Affected Software/OS: 'pcp' package(s) on openSUSE Leap 15.5. Solution: Please install the updated package(s). CVSS Score: 6.5 CVSS Vector: AV:L/AC:L/Au:M/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2023-6917 RHBZ#2254983 https://bugzilla.redhat.com/show_bug.cgi?id=2254983 RHSA-2024:2213 https://access.redhat.com/errata/RHSA-2024:2213 https://access.redhat.com/security/cve/CVE-2023-6917 Common Vulnerability Exposure (CVE) ID: CVE-2024-45769 Common Vulnerability Exposure (CVE) ID: CVE-2024-45770
Copyright	Copyright (C) 2024 Greenbone AG