Overview

File _patchinfo of Package patchinfo.22201

<patchinfo incident="22201">
  <issue tracker="bnc" id="1192954">L3: SLE15 SP3: Autoyast does not honor security related parameters</issue>
  <issue tracker="bnc" id="1188507">blockdev --report results in abort due to buffer overflow when start sector exceeds 10 digits</issue>
  <issue tracker="bnc" id="1194976">VUL-0: CVE-2021-3995, CVE-2021-3996: util-linux: libmount unauthorized unmounts</issue>
  <issue tracker="bnc" id="1193632">/bin/login sets incorrect tty permissions due to econf only supporting base10 numbers</issue>
  <issue tracker="jsc" id="SLE-23384"/>
  <issue tracker="jsc" id="SLE-23402"/>
  <issue tracker="cve" id="2021-3995"/>
  <issue tracker="cve" id="2021-3996"/>
  <packager>sbrabec</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for libeconf, shadow and util-linux</summary>
  <description>This security update for libeconf, shadow and util-linux fix the following issues:

libeconf:

- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' 
  to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf:
- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
- Fixed different issues while writing string values to file.
- Writing comments to file too.
- Fixed crash while merging values.
- Added econftool cat option (#146)
- new API call: econf_readDirsHistory (showing ALL locations)
- new API call: econf_getPath (absolute path of the configuration file)
- Man pages libeconf.3 and econftool.8.
- Handling multiline strings.
- Added libeconf_ext which returns more information like
  line_nr, comments, path of the configuration file,...
- Econftool, an command line interface for handling configuration
  files.
- Generating HTML API documentation with doxygen.
- Improving error handling and semantic file check.
- Joining entries with the same key to one single entry if
  env variable ECONF_JOIN_SAME_ENTRIES has been set.

shadow:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

util-linux:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to 
  read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
- Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)
- Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)
- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) 
- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places