Security update for EternalTerminal SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2023:0041-1 Final 1 1 2023-02-08T02:02:05Z current 2023-02-08T02:02:05Z 2023-02-08T02:02:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for EternalTerminal This update for EternalTerminal fixes the following issues: EternalTerminal was updated to 6.2.4: * CVE-2022-48257, CVE-2022-48258 remedied * fix readme regarding port forwarding #522 * Fix test failures that started appearing in CI #526 * Add documentation for the EternalTerminal protocol #523 * ssh-et: apply upstream updates #527 * docs: write gpg key to trusted.gpg.d for APT #530 * Support for ipv6 addresses (with or without port specified) #536 * ipv6 abbreviated address support #539 * Fix launchd plist config to remove daemonization. #540 * Explicitly set verbosity from cxxopts value. #542 * Remove daemon flag in systemd config #549 * Format all source with clang-format. #552 * Fix tunnel parsing exception handling. #550 * Fix SIGTERM behavior that causes systemd control of etserver to timeout. #554 * Parse telemetry ini config as boolean and make telemetry opt-in. #553 * Logfile open mode and permission plus location configurability. #556 - boo#1207123 (CVE-2022-48257) Fix predictable logfile names in /tmp - boo#1207124 (CVE-2022-48258) Fix etserver and etclient have world-readable logfiles - Note: Upstream released 6.2.2 with fixes then 6.2.4 and later removed 6.2.2 and redid 6.2.4 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2023-41 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2VTENKRMSWIB6OVIPA263AB3ABXCRJT/ E-Mail link for openSUSE-SU-2023:0041-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1207123 SUSE Bug 1207123 https://bugzilla.suse.com/1207124 SUSE Bug 1207124 https://www.suse.com/security/cve/CVE-2022-48257/ SUSE CVE CVE-2022-48257 page https://www.suse.com/security/cve/CVE-2022-48258/ SUSE CVE CVE-2022-48258 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 EternalTerminal-6.2.4-bp154.2.6.1 EternalTerminal-6.2.4-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 EternalTerminal-6.2.4-bp154.2.6.1 as a component of openSUSE Leap 15.4 In Eternal Terminal 6.2.1, etserver and etclient have predictable logfile names in /tmp. CVE-2022-48257 SUSE Package Hub 15 SP4:EternalTerminal-6.2.4-bp154.2.6.1 openSUSE Leap 15.4:EternalTerminal-6.2.4-bp154.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2VTENKRMSWIB6OVIPA263AB3ABXCRJT/ https://www.suse.com/security/cve/CVE-2022-48257.html CVE-2022-48257 https://bugzilla.suse.com/1207123 SUSE Bug 1207123 In Eternal Terminal 6.2.1, etserver and etclient have world-readable logfiles. CVE-2022-48258 SUSE Package Hub 15 SP4:EternalTerminal-6.2.4-bp154.2.6.1 openSUSE Leap 15.4:EternalTerminal-6.2.4-bp154.2.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2VTENKRMSWIB6OVIPA263AB3ABXCRJT/ https://www.suse.com/security/cve/CVE-2022-48258.html CVE-2022-48258 https://bugzilla.suse.com/1207124 SUSE Bug 1207124