Security update for openwsman SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1217-1 Final 1 1 2019-04-16T15:16:37Z current 2019-04-16T15:16:37Z 2019-04-16T15:16:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openwsman This update for openwsman fixes the following issues: Security issues fixed: - CVE-2019-3816: Fixed a vulnerability in openwsmand deamon which could lead to arbitary file disclosure (bsc#1122623). - CVE-2019-3833: Fixed a vulnerability in process_connection() which could allow an attacker to trigger an infinite loop which leads to Denial of Service (bsc#1122623). Other issues addressed: - Directory listing without authentication fixed (bsc#1092206). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00065.html E-Mail link for openSUSE-SU-2019:1217-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libwsman-devel-2.6.7-4.3.1 libwsman3-2.6.7-4.3.1 libwsman_clientpp-devel-2.6.7-4.3.1 libwsman_clientpp1-2.6.7-4.3.1 openwsman-2.6.7-4.3.1 openwsman-java-2.6.7-4.3.1 openwsman-perl-2.6.7-4.3.1 openwsman-python-2.6.7-4.3.1 openwsman-ruby-2.6.7-4.3.1 openwsman-ruby-docs-2.6.7-4.3.1 openwsman-server-2.6.7-4.3.1 openwsman-server-plugin-ruby-2.6.7-4.3.1 winrs-2.6.7-4.3.1 libwsman-devel-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 libwsman3-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 libwsman_clientpp-devel-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 libwsman_clientpp1-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 openwsman-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 openwsman-java-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 openwsman-perl-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 openwsman-python-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 openwsman-ruby-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 openwsman-ruby-docs-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 openwsman-server-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 openwsman-server-plugin-ruby-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 winrs-2.6.7-4.3.1 as a component of openSUSE Leap 42.3 Openwsman, versions up to and including 2.6.9, are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to openwsman server. CVE-2019-3816 openSUSE Leap 42.3:libwsman-devel-2.6.7-4.3.1 openSUSE Leap 42.3:libwsman3-2.6.7-4.3.1 openSUSE Leap 42.3:libwsman_clientpp-devel-2.6.7-4.3.1 openSUSE Leap 42.3:libwsman_clientpp1-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-java-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-perl-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-python-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-ruby-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-ruby-docs-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-server-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-server-plugin-ruby-2.6.7-4.3.1 openSUSE Leap 42.3:winrs-2.6.7-4.3.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00065.html https://www.suse.com/security/cve/CVE-2019-3816.html CVE-2019-3816 https://bugzilla.suse.com/1122623 SUSE Bug 1122623 Openwsman, versions up to and including 2.6.9, are vulnerable to infinite loop in process_connection() when parsing specially crafted HTTP requests. A remote, unauthenticated attacker can exploit this vulnerability by sending malicious HTTP request to cause denial of service to openwsman server. CVE-2019-3833 openSUSE Leap 42.3:libwsman-devel-2.6.7-4.3.1 openSUSE Leap 42.3:libwsman3-2.6.7-4.3.1 openSUSE Leap 42.3:libwsman_clientpp-devel-2.6.7-4.3.1 openSUSE Leap 42.3:libwsman_clientpp1-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-java-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-perl-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-python-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-ruby-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-ruby-docs-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-server-2.6.7-4.3.1 openSUSE Leap 42.3:openwsman-server-plugin-ruby-2.6.7-4.3.1 openSUSE Leap 42.3:winrs-2.6.7-4.3.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00065.html https://www.suse.com/security/cve/CVE-2019-3833.html CVE-2019-3833 https://bugzilla.suse.com/1122623 SUSE Bug 1122623