<div class="container">
<h1>Security update for etcd</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:3656-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2024-10-16T11:33:45Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1095184">bsc#1095184</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1118897">bsc#1118897</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1118898">bsc#1118898</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1118899">bsc#1118899</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1121850">bsc#1121850</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1174951">bsc#1174951</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1181400">bsc#1181400</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183703">bsc#1183703</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1199031">bsc#1199031</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208270">bsc#1208270</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208297">bsc#1208297</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1210138">bsc#1210138</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1213229">bsc#1213229</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217070">bsc#1217070</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217950">bsc#1217950</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1218150">bsc#1218150</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2018-16873.html">CVE-2018-16873</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2018-16874.html">CVE-2018-16874</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2018-16875.html">CVE-2018-16875</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2018-16886.html">CVE-2018-16886</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2020-15106.html">CVE-2020-15106</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2020-15112.html">CVE-2020-15112</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2021-28235.html">CVE-2021-28235</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-41723.html">CVE-2022-41723</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-29406.html">CVE-2023-29406</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-47108.html">CVE-2023-47108</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-48795.html">CVE-2023-48795</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16873</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16873</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16873</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16874</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16874</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16874</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16875</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16875</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16886</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-16886</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-15106</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-15106</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-15112</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2020-15112</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-28235</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2021-28235</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-41723</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-41723</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-29406</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-29406</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-47108</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-47108</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-48795</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-48795</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">openSUSE Leap 15.6</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves 11 vulnerabilities and has five security fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for etcd fixes the following issues:</p>
<p>Update to version 3.5.12:</p>
<p>Security fixes:</p>
<ul>
<li>CVE-2018-16873: Fixed remote command execution in cmd/go (bsc#1118897)</li>
<li>CVE-2018-16874: Fixed directory traversal in cmd/go (bsc#1118898)</li>
<li>CVE-2018-16875: Fixed CPU denial of service in crypto/x509 (bsc#1118899)</li>
<li>CVE-2018-16886: Fixed improper authentication issue when RBAC and client-cert-auth is enabled (bsc#1121850)</li>
<li>CVE-2020-15106: Fixed panic in decodeRecord method (bsc#1174951)</li>
<li>CVE-2020-15112: Fixed improper checks in entry index (bsc#1174951)</li>
<li>CVE-2021-28235: Fixed information discosure via debug function (bsc#1210138)</li>
<li>CVE-2022-41723: Fixed quadratic complexity in HPACK decoding in net/http (bsc#1208270, bsc#1208297)</li>
<li>CVE-2023-29406: Fixed insufficient sanitization of Host header in go net/http (bsc#1213229)</li>
<li>CVE-2023-47108: Fixed DoS vulnerability in otelgrpc (bsc#1217070)</li>
<li>CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (aka Terrapin Attack) in crypto/ssh (bsc#1217950, bsc#1218150)</li>
</ul>
<p>Other changes:</p>
<ul>
<li>Added hardening to systemd service(s) (bsc#1181400)</li>
<li>Fixed static /tmp file issue (bsc#1199031)</li>
<li>Fixed systemd service not starting (bsc#1183703)</li>
</ul>
<p>Full changelog:</p>
<p>https://github.com/etcd-io/etcd/compare/v3.3.1...v3.5.12</p>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2024-3656=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch openSUSE-SLE-15.6-2024-3656=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>etcdctl-3.5.12-150000.7.6.1</li>
<li>etcd-3.5.12-150000.7.6.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
<ul>
<li>etcdctl-3.5.12-150000.7.6.1</li>
<li>etcd-3.5.12-150000.7.6.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2018-16873.html">https://www.suse.com/security/cve/CVE-2018-16873.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2018-16874.html">https://www.suse.com/security/cve/CVE-2018-16874.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2018-16875.html">https://www.suse.com/security/cve/CVE-2018-16875.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2018-16886.html">https://www.suse.com/security/cve/CVE-2018-16886.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2020-15106.html">https://www.suse.com/security/cve/CVE-2020-15106.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2020-15112.html">https://www.suse.com/security/cve/CVE-2020-15112.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2021-28235.html">https://www.suse.com/security/cve/CVE-2021-28235.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-41723.html">https://www.suse.com/security/cve/CVE-2022-41723.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-29406.html">https://www.suse.com/security/cve/CVE-2023-29406.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-47108.html">https://www.suse.com/security/cve/CVE-2023-47108.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-48795.html">https://www.suse.com/security/cve/CVE-2023-48795.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1095184">https://bugzilla.suse.com/show_bug.cgi?id=1095184</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1118897">https://bugzilla.suse.com/show_bug.cgi?id=1118897</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1118898">https://bugzilla.suse.com/show_bug.cgi?id=1118898</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1118899">https://bugzilla.suse.com/show_bug.cgi?id=1118899</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1121850">https://bugzilla.suse.com/show_bug.cgi?id=1121850</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1174951">https://bugzilla.suse.com/show_bug.cgi?id=1174951</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1181400">https://bugzilla.suse.com/show_bug.cgi?id=1181400</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183703">https://bugzilla.suse.com/show_bug.cgi?id=1183703</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1199031">https://bugzilla.suse.com/show_bug.cgi?id=1199031</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208270">https://bugzilla.suse.com/show_bug.cgi?id=1208270</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1208297">https://bugzilla.suse.com/show_bug.cgi?id=1208297</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1210138">https://bugzilla.suse.com/show_bug.cgi?id=1210138</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1213229">https://bugzilla.suse.com/show_bug.cgi?id=1213229</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217070">https://bugzilla.suse.com/show_bug.cgi?id=1217070</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217950">https://bugzilla.suse.com/show_bug.cgi?id=1217950</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1218150">https://bugzilla.suse.com/show_bug.cgi?id=1218150</a>
</li>
</ul>
</div>