Security update for netatalk SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:4214-1 Final 1 1 2018-12-21T05:45:58Z current 2018-12-21T05:45:58Z 2018-12-21T05:45:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for netatalk This update for netatalk fixes the following issues: Security issue fixed: - CVE-2018-1160 Fixed a missing bounds check in the handling of the DSI OPEN SESSION request, which allowed an unauthenticated to overwrite memory with data of their choice leading for arbitrary code execution with root privileges. (bsc#1119540) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-netatalk-13915 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20184214-1/ Link for SUSE-SU-2018:4214-1 https://lists.suse.com/pipermail/sle-security-updates/2018-December/004994.html E-Mail link for SUSE-SU-2018:4214-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1119540 SUSE Bug 1119540 https://www.suse.com/security/cve/CVE-2018-1160/ SUSE CVE CVE-2018-1160 page SUSE Linux Enterprise Software Development Kit 11 SP4 netatalk-2.0.3-249.23.3.1 netatalk-devel-2.0.3-249.23.3.1 netatalk-2.0.3-249.23.3.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 netatalk-devel-2.0.3-249.23.3.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution. CVE-2018-1160 SUSE Linux Enterprise Software Development Kit 11 SP4:netatalk-2.0.3-249.23.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:netatalk-devel-2.0.3-249.23.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184214-1/ https://www.suse.com/security/cve/CVE-2018-1160.html CVE-2018-1160 https://bugzilla.suse.com/1119540 SUSE Bug 1119540