Overview

File _patchinfo of Package patchinfo.8417

<patchinfo incident="8417">
  <issue tracker="bnc" id="1103809">VUL-0: EMBARGOED: CVE-2018-12471: smt: Xml External Entity processing in the RegistrationSharing modules allows arbitrary file read</issue>
  <issue tracker="bnc" id="1104076">VUL-0: EMBARGOED: CVE-2018-12472: smt: authentication bypass in sibling check</issue>
  <issue tracker="bnc" id="1097824">[Migration] [RMT] upgrade from SLES12SP3+HPC module to HPC15 via RMT: Two Migration targets</issue>
  <issue tracker="bnc" id="1097560">SCC delivers incomplete product data</issue>
  <issue tracker="bnc" id="1103810">VUL-0: EMBARGOED: CVE-2018-12470: smt: SQL injection in RegistrationSharing module</issue>
  <issue tracker="bnc" id="1037811">SLES12_SP3_LOC : ALL_LANGS:Untranslated text in SMT/'SMT Configuration Wizard-Steps 2/2' dialog</issue>
  <issue tracker="bnc" id="977043">YaST2 SMT window starts in partially unreadable size</issue>
  <issue tracker="bnc" id="1006984">yast2-smt: crashes in filter</issue>
  <issue tracker="bnc" id="1006989">yast2-smt: no error check for mkdir</issue>
  <issue tracker="cve" id="2018-12472"/>
  <issue tracker="cve" id="2018-12470"/>
  <issue tracker="cve" id="2018-12471"/>
  <issue tracker="fate" id="321759"/>
  <issue tracker="fate" id="319777"/>
  <category>security</category>
  <rating>important</rating>
  <packager>ikapelyukhin</packager>
  <description>This update for yast2-smt to 3.0.14 and smt to 3.0.37 fixes the following issues:

These security issues were fixed in SMT:

- CVE-2018-12471: Xml External Entity processing in the RegistrationSharing
  modules allowed to read arbitrary file read (bsc#1103809).
- CVE-2018-12470: SQL injection in RegistrationSharing module allows remote
  attackers to run arbitrary SQL statements (bsc#1103810).
- CVE-2018-12472: Authentication bypass in sibling check facilitated further
  attacks on SMT (bsc#1104076).

SUSE would like to thank Jake Miller for reporting these issues to us.

These non-security issues were fixed in SMT:

- Fix cron jobs randomization (bsc#1097560)
- Fix duplicate migration paths (bsc#1097824)

This non-security issue was fixed in yast2-smt:

- Remove cron job rescheduling (bsc#1097560)
- Added missing translation marks (bsc#1037811)
- Explicitly mention "Organization Credentials" (fate#321759)
- Rearrange the SMT set-up dialog (bsc#977043)
- Make the Filter button default (bsc#1006984)
- Prevent exiting the repo selection dialog via hitting Enter in
  the repository filter (bsc#1006984)
- report when error occurs during repo mirroring (bsc#1006989)
- Use TextEntry-based filter for repos (fate#319777)
</description>
  <summary>Security update for smt, yast2-smt</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places