SUSE-SU-2015:0863-1: Security update for SUSE Studio

Tue May 12 11:05:52 MDT 2015

   SUSE Security Update: Security update for SUSE Studio
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0863-1
Rating:             low
References:         #852794 #876313 #880078 #887893 #904372 #904375 
                    #912512 #914765 #918203 #918239 #918395 #919037 

Cross-References:   CVE-2014-7818 CVE-2014-7819 CVE-2014-7829

Affected Products:
                    SUSE Studio Onsite 1.3
______________________________________________________________________________

   An update that solves three vulnerabilities and has 9 fixes
   is now available. It includes one version update.

Description:

   This update provides SUSE Studio 1.3.10, including Amazon's EC2 support
   for SUSE Linux Enterprise 12 appliances.

   Additionally, the update includes fixes for the following issues:

       * #904372 - Arbitrary file existence disclosure in sprockets gem
         (CVE-2014-7819)
       * #904375 - Arbitrary file existence disclosure in Action Pack gem
         (CVE-2014-7818)
       * #918203 - Arbitrary file existence disclosure in Studio Onsite
         (CVE-2014-7829)
       * #852794 - SLES 11-SP3 templates fail to build x86_64 EC2 images
       * #914765 - Change of appliance name is not displayed in appliance's
         change log
       * #887893 - Change log not accessible via API
       * #918239 - Failure to create new appliances after upgrade to Studio
         Onsite 1.3.9
       * #918395 - Remove 32bit as target for building EC2 appliances
       * #912512 - Studio doesn't allow duplicated repositories
       * #880078 - Studio packages contain files that get modified (by
         Studio) after installation.
       * #919037 - Can't open appliance on Gallery: undefined
         restructure_unsupportable_packages method.

   Security Issues:

       * CVE-2014-7819
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7819>
       * CVE-2014-7818
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818>
       * CVE-2014-7829
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829>

Indications:

   Everybody should update.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Studio Onsite 1.3:

      zypper in -t patch slestso13-susestudio-1310-201502=10411

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Studio Onsite 1.3 (x86_64) [New Version: 1.3.10]:

      Containment-Studio-SLE11_SP3-5.05.81-20150505234825
      susestudio-1.3.10-0.17.45
      susestudio-bundled-packages-1.3.10-0.17.45
      susestudio-common-1.3.10-0.17.45
      susestudio-runner-1.3.10-0.17.45
      susestudio-sid-1.3.10-0.17.45
      susestudio-ui-server-1.3.10-0.17.45

References:

   https://www.suse.com/security/cve/CVE-2014-7818.html
   https://www.suse.com/security/cve/CVE-2014-7819.html
   https://www.suse.com/security/cve/CVE-2014-7829.html
   https://bugzilla.suse.com/852794
   https://bugzilla.suse.com/876313
   https://bugzilla.suse.com/880078
   https://bugzilla.suse.com/887893
   https://bugzilla.suse.com/904372
   https://bugzilla.suse.com/904375
   https://bugzilla.suse.com/912512
   https://bugzilla.suse.com/914765
   https://bugzilla.suse.com/918203
   https://bugzilla.suse.com/918239
   https://bugzilla.suse.com/918395
   https://bugzilla.suse.com/919037
   https://download.suse.com/patch/finder/?keywords=47874d473d5972d4857f71d4a1d418be