SUSE-SU-2019:0330-1: important: Security update for etcd
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Feb 12 04:10:29 MST 2019
SUSE Security Update: Security update for etcd
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:0330-1
Rating: important
References: #1095184 #1118897 #1121850
Cross-References: CVE-2018-16873 CVE-2018-16886
Affected Products:
SUSE CaaS Platform 3.0
______________________________________________________________________________
An update that solves two vulnerabilities and has one
errata is now available.
Description:
This update for etcd to version 3.3.11 fixes the following issues:
Security vulnerabilities addressed:
- CVE-2018-16886: Fixed an improper authentication issue when role-based
access control (RBAC) was used and client-cert-auth were enabled. This
allowed an remote attacker to authenticate as user with any valid
(trusted) client certificate in a REST API request to the gRPC-gateway.
(bsc#1121850)
- CVE-2018-16873: Fixed an issue with the go get command, which allowed
for remote code execution when being executed with the -u flag
(bsc#1118897)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE CaaS Platform 3.0:
To install this update, use the SUSE CaaS Platform Velum dashboard.
It will inform you if it detects new updates and let you then trigger
updating of the complete cluster in a controlled way.
Package List:
- SUSE CaaS Platform 3.0 (x86_64):
etcd-3.3.11-3.6.1
etcdctl-3.3.11-3.6.1
References:
https://www.suse.com/security/cve/CVE-2018-16873.html
https://www.suse.com/security/cve/CVE-2018-16886.html
https://bugzilla.suse.com/1095184
https://bugzilla.suse.com/1118897
https://bugzilla.suse.com/1121850
More information about the sle-security-updates
mailing list