SUSE-SU-2014:0734-1: Security update for SUSE Studio

Thu May 29 18:04:45 MDT 2014

   SUSE Security Update: Security update for SUSE Studio
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0734-1
Rating:             low
References:         #808381 #824309 #825713 #826880 #851903 #852166 
                    #854786 #857887 #858218 #864803 #866543 #867136 
                    #867745 #870697 #880078 
Cross-References:   CVE-2013-3712 CVE-2013-4389 CVE-2013-4491
                    CVE-2013-6414 CVE-2013-6415 CVE-2013-6416
                    CVE-2013-6459 CVE-2014-0081 CVE-2014-0082

Affected Products:
                    SUSE Studio Onsite 1.3
______________________________________________________________________________

   An update that solves 9 vulnerabilities and has 6 fixes is
   now available. It includes one version update.

Description:

   This SUSE Studio update fixes the following security and non-security
   issues:

       * bnc#851903 - Fixed 1.3 stuck on "Importing repositories and
         templates" after restoring 1.2 backup
       * bnc#808381 - Outdated image types list in API documentation
       * bnc#826880 - Misleading error message when adding repo that is
         already there
       * bnc#825713 - susestudio-bundled-packages is not required by studio
         packages
       * bnc#870697 - Limit memory used for builds
       * bnc#867136 - After sync now appliance build still uses older package
         version
       * bnc#867745 - If no dhcp, permissions and ssl are not configured
       * bnc#824309 - When removing or reinstalling AddOn, sudoers file gets
         messy
       * bnc#854786 - Security issues in rails (CVE-2013-4491, CVE-2013-6414,
         CVE-2013-6415, CVE-2013-6416, CVE-2013-4389)
       * bnc#857887 - Session secret in options.yml instead of
         options-local.yml
       * bnc#858218 - XSS vulnerabilities in will_paginate (CVE-2013-6459)
       * bnc#864803 - Rails security issues (CVE-2014-0081 and CVE-2014-0082)
       * bnc#852166 - Secret tokens are static as shipped (CVE-2013-3712)
       * bnc#866543 - Documentation for updating frozen repositories after
         1.2-to-1.3 migration
       * bnc#880078 - Fix schema.rb file for ui-server

   Security Issues references:

       * CVE-2013-4491
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491>
       * CVE-2013-6414
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414>
       * CVE-2013-6415
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415>
       * CVE-2013-6416
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6416>
       * CVE-2013-4389
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389>
       * CVE-2014-0081
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081>
       * CVE-2014-0082
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082>
       * CVE-2013-3712
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3712>
       * CVE-2013-6459
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6459>

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Studio Onsite 1.3:

      zypper in -t patch slestso13-susestudio-137-201404-9308

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Studio Onsite 1.3 (x86_64) [New Version: 1.3.7]:

      susestudio-1.3.7-0.17.1
      susestudio-bundled-packages-1.3.7-0.17.1
      susestudio-common-1.3.7-0.17.1
      susestudio-runner-1.3.7-0.17.1
      susestudio-sid-1.3.7-0.17.1
      susestudio-ui-server-1.3.7-0.17.1

   - SUSE Studio Onsite 1.3 (noarch):

      susestudio-admin_en-11.3-0.15.1
      susestudio-admin_en-pdf-11.3-0.15.1

References:

   http://support.novell.com/security/cve/CVE-2013-3712.html
   http://support.novell.com/security/cve/CVE-2013-4389.html
   http://support.novell.com/security/cve/CVE-2013-4491.html
   http://support.novell.com/security/cve/CVE-2013-6414.html
   http://support.novell.com/security/cve/CVE-2013-6415.html
   http://support.novell.com/security/cve/CVE-2013-6416.html
   http://support.novell.com/security/cve/CVE-2013-6459.html
   http://support.novell.com/security/cve/CVE-2014-0081.html
   http://support.novell.com/security/cve/CVE-2014-0082.html
   https://bugzilla.novell.com/808381
   https://bugzilla.novell.com/824309
   https://bugzilla.novell.com/825713
   https://bugzilla.novell.com/826880
   https://bugzilla.novell.com/851903
   https://bugzilla.novell.com/852166
   https://bugzilla.novell.com/854786
   https://bugzilla.novell.com/857887
   https://bugzilla.novell.com/858218
   https://bugzilla.novell.com/864803
   https://bugzilla.novell.com/866543
   https://bugzilla.novell.com/867136
   https://bugzilla.novell.com/867745
   https://bugzilla.novell.com/870697
   https://bugzilla.novell.com/880078
   http://download.suse.com/patch/finder/?keywords=b9000898eb3e19edea1d5eabcff8831a