Overview

File _patchinfo of Package patchinfo.35852

<patchinfo incident="35852">
  <issue tracker="cve" id="2024-45770"/>
  <issue tracker="cve" id="2024-45769"/>
  <issue tracker="cve" id="2023-6917"/>
  <issue tracker="bnc" id="1231345">PCP 6.2 built without libuv support</issue>
  <issue tracker="bnc" id="1222815">Performance CoPilot 6 is not starting due to missing pmlogger_daily.timer</issue>
  <issue tracker="bnc" id="1230552">VUL-0: CVE-2024-45770: pcp: `pmpost` symlink attack allows escalating `pcp` to `root` user</issue>
  <issue tracker="bnc" id="1230551">VUL-0: CVE-2024-45769: pcp: `pmcd` heap corruption through metric pmstore operations</issue>
  <issue tracker="bnc" id="1217826">VUL-0: CVE-2023-6917: pcp: Local privilege escalation from pcp user to root in /usr/libexec/pcp/lib/pmproxy</issue>
  <issue tracker="jsc" id="PED-8192"/>
  <issue tracker="jsc" id="PED-8389"/>
  <packager>mschreiner</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for pcp</summary>
  <description>This update for pcp fixes the following issues:

pcp was updated from version 5.2.5 to version 6.2.0 (jsc#PED-8192, jsc#PED-8389):

- Security issues fixed:

  * CVE-2024-45770: Fixed a symlink attack that allows escalating from the pcp to the root user (bsc#1230552)
  * CVE-2024-45769: Fixed a heap corruption through metric pmstore operations (bsc#1230551)
  * CVE-2023-6917: Fixed local privilege escalation from pcp user to root in /usr/libexec/pcp/lib/pmproxy (bsc#1217826)

- Major changes:

  * Add version 3 PCP archive support: instance domain change-deltas,
    Y2038-safe timestamps, nanosecond-precision timestamps, arbitrary timezones support, 64-bit file offsets used
    throughout for larger (beyond 2GB) individual volumes
    + Opt-in using the /etc/pcp.conf PCP_ARCHIVE_VERSION setting
    + Version 2 archives remain the default (for next few years)
  * Switch to using OpenSSL only throughout PCP (dropped NSS/NSPR);
    this impacts on libpcp, PMAPI clients and PMCD use of encryption;
    these are now configured and used consistently with pmproxy HTTPS support and redis-server, which were both already
    using OpenSSL.
  * New nanosecond precision timestamp PMAPI calls for PCP library interfaces that make use of timestamps
    These are all optional, and full backward compatibility is preserved for existing tools.
  * For the full list of changes please consult the packaged CHANGELOG file

- Other packaging changes:

  * Moved pmlogger_daily into the main package (bsc#1222815)
  * Change dependency from openssl-devel &gt;= 1.1.1 to openssl-devel &gt;= 1.0.2p.
    Required for SLE-12
  * Introduce 'pmda-resctrl' package, disabled for architectures other than x86_64
  * Change the architecture for various subpackages to 'noarch' as they contain no binaries
  * Disable 'pmda-mssql', as it fails to build
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places