English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.1.4.2021.1094.1
Category:SuSE Local Security Checks
Title:SUSE: Security Advisory (SUSE-SU-2021:1094-1)
Summary:The remote host is missing an update for the 'flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk' package(s) announced via the SUSE-SU-2021:1094-1 advisory.
Description:Summary:
The remote host is missing an update for the 'flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk' package(s) announced via the SUSE-SU-2021:1094-1 advisory.

Vulnerability Insight:
This update for flatpak, libostree, xdg-desktop-portal,
xdg-desktop-portal-gtk fixes the following issues:

libostree:

Update to version 2020.8

Enable LTO. (bsc#1133120)

This update contains scalability improvements and bugfixes.

Caching-related HTTP headers are now supported on summaries and
signatures, so that they do not have to be re-downloaded if not changed
in the meanwhile.

Summaries and delta have been reworked to allow more fine-grained
fetching.

Fixes several bugs related to atomic variables, HTTP timeouts, and
32-bit architectures.

Static deltas can now be signed to more easily support offline
verification.

There's now support for multiple initramfs images, Is it possible to
have a 'main' initramfs image and a secondary one which represents local
configuration.

The documentation is now moved to [link moved to references]

Fix for an assertion failure when upgrading from systems before ostree
supported devicetree.

ostree no longer hardlinks zero sized files to avoid hitting filesystem
maximum link counts.

ostree now supports `/` and `/boot` being on the same filesystem.

Improvements to the GObject Introspection metadata, some (cosmetic)
static analyzer fixes, a fix for the immutable bit on s390x, dropping a
deprecated bit in the systemd unit file.

Fix a regression 2020.4 where the 'readonly sysroot' changes incorrectly
left the sysroot read-only
on systems that started out with a read-only `/` (most of them, e.g.
Fedora Silverblue/IoT at least).

The default dracut config now enables reproducibility.

There is a new ostree admin unlock `--transient`. This should to be a
foundation for further support for 'live' updates.

New `ed25519` signing support, powered by `libsodium`.

stree commit gained a new `--base` argument, which significantly
simplifies constructing 'derived' commits, particularly for systems
using SELinux.

Handling of the read-only sysroot was reimplemented to run in the
initramfs and be more reliable. Enabling the `readonly=true` flag in the
repo config is recommended.

Several fixes in locking for the temporary 'staging' directories OSTree
creates, particularly on NFS.

A new `timestamp-check-from-rev` option was added for pulls, which makes
downgrade protection more reliable and will be used by Fedora CoreOS.

Several fixes and enhancements made for 'collection' pulls including a
new `--mirror` option.

The ostree commit command learned a new `--mode-ro-executables` which
enforces `W^R` semantics
on all executables.

Added a new commit metadata key `OSTREE_COMMIT_META_KEY_ARCHITECTURE`
to help standardize the architecture of the OSTree commit. This could be
used on the client side for example to sanity-check that the commit
matches the architecture of the machine before deploying.

Stop invalid usage of `%_libexecdir`:
+ Use `%{_prefix}/lib` where appropriate.
+ Use `_systemdgeneratordir` for ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk' package(s) on SUSE Linux Enterprise Module for Basesystem 15-SP2, SUSE Linux Enterprise Module for Desktop Applications 15-SP2.

Solution:
Please install the updated package(s).

CVSS Score:
7.2

CVSS Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2021-21261
https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
Debian Security Information: DSA-4830 (Google Search)
https://www.debian.org/security/2021/dsa-4830
https://security.gentoo.org/glsa/202101-21
https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486
https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b
https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4
https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba
https://github.com/flatpak/flatpak/releases/tag/1.8.5
CopyrightCopyright (C) 2021 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.